krb5-sync 0.3 released

g.w@hurderos.org g.w at hurderos.org
Mon Jan 8 06:08:00 EST 2007


On Jan 5,  7:25pm, Russ Allbery wrote:
} Subject: krb5-sync 0.3 released

Hi Russ, hope your week is starting out well.  Greetings and similar
wishes to the rest of the list.

> I'm pleased to announce the initial public release of krb5-sync.
>
> krb5-sync is a toolkit for updating passwords and account status
> from an MIT Kerberos master KDC to Active Directory and/or an AFS
> kaserver.  It is implemented as a patch to kadmind and a plugin
> module that will push password changes and selected account flag
> changes to Active Directory or to a kaserver at the same time as
> they are made to the local KDC database.
>
> Please note that this is a toolkit, not a simple application.  You
> will at a minimum need to patch MIT Kerberos and build a new kadmin
> server library to make use of it, and the code has various
> peculiarities local to Stanford and will likely need changes for any
> other site.  We're making it available for feedback and to help
> other people with similar problems.
>
> My long-term hope is to standardize on a plugin interface that MIT
> is willing to incorporate, and then make this a more normal package
> that provides that plugin.  This is still some distance away,
> however.

Thanks for making this available for general use.  I'm glad to see
interest in enhanced Kerberos functionality and usability.

If anyone else is interested in working on extended Kerberos
functionality I just pushed a release candidate for our next release
onto the FTP server.  The following URL should fetch it:

        ftp://ftp.hurderos.org/pub/Hurderos/src/Hurderos-0.1.5-rc1.tar.gz

The source release has a plugin architecture for MIT/KRB5 we have been
developing against for the last two years.  In this release we split
the plugin support into separate KDC, KADMIN and CLIENT components.

The build process patches and builds a standard 1.4.4 MIT source
distribution to add plugin support.  The build process uses a KRB5
configure prefix of /opt/Hurderos/krb5.  If this directory is created
and writable as whatever identity you are building the sources as the
installation/build process is pretty straight forward.

Untar the MIT source distribution in the same directory as the
Hurderos sources.  Change to the Hurderos source directory and type:

        make kerberos-install

The appsupport/kerberos/plugin directory contains code for sample KDC,
KADMIN and CLIENT plugins.  The plugins simply print messages when the
fullfillment hooks are called.  There primary purpose is to provide a
framework for anyone who would like to implement their own
functionality.

Russ:

You may want to look at the test KADMIN plugin.  About 7 months ago
someone sent a note to the list about wanting to do ACL's for kadmind
with LDAP.  You had mentioned that Stanford may be interested in
infra-structure which used something beside the standard textfile
ACL's.

I wired up a fullfillment hook to offer alternate ACL processing after
I read those e-mails.  The KADMIN test plugin prints out the caller
principal, target principal and the requested action.  It would
probably take someone who is handy with a C compiler and LDAP about 10
minutes to setup an alternate ACL implementation for kadmind.

The Hurderos KDC plugin 'knows' how to do credentials self-generation
based on a KDC principal database entry.  This allows the KDC to
implement GSSAPI authenticated/protected connections to an LDAP
server.  That code should all be usable in a KADMIN plugin for the
same purpose.

I thought I sent an e-mail to you and the list mentioning this was
available but it may have fallen victim to SPAM filtering.

The plugin support should all be stable in rc1.  The full release is
waiting on full implementation of BEAF (Basic Encoding of
Authorization Function) payload encoding and token based
pre-identification.

> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

Best wishes for a productive week to everyone.

}-- End of excerpt from Russ Allbery

As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
PH: 701-281-1686
FAX: 701-281-3949           EMAIL: greg at enjellic.com
------------------------------------------------------------------------------
"The couple is registered at Herbergers, Target and Fleet Farm."
                                - Wedding invitation
                                  West Central Minnesota



More information about the Kerberos mailing list