Provisioning and administrative tools for MIT KDC

[Marcus Watts]

res at qoxp.net replied to Vincenzo.Carnuccio at valueteam.com:
...
>     CV> -Is there any API interface (java, c,any other language) to
>     CV> perform administrative operations? (add a principal, change a
>     CV> password, delete a principal)
> 
> 
>     CV> We must perform automatic provisioning via a web application (jsp)
>     CV> so it seems to be not a good solution using the kadmin command via
>     CV> System Calls.
> 
>     CV> The KDC is the MIT's one
> 
> http://search.cpan.org/~korty/Authen-Krb5-Admin-0.09/Admin.pm
> 
>     CV> Thank you in advance.

The perl module is probably the best available at present.

Recent versions of MIT kerberos should also export a C callable
api for kadm5.  With older versions of MIT this was also possible,
but required extracting bits from built source for MIT k5.
If you feel like experimenting, this may help,
http://mailman.mit.edu/pipermail/krbdev/2007-March/005702.html

There are also possibilities with java.  I've got a java library
that will do this, which I hope to make generally available shortly.
It's undergoing review and final feature development right now.  It uses
jni and calls into gssrpc.  A future version could be pure java, but
that wasn't feasible right off.

If you want a different java answer - opensolaris has a java library built
into its source.  It uses jni and calls into kadm5.  Note CDDL licensing.
Here's how to fetch a copy,

do this,
< find a filesystem with lots of space on a machine with mercurial >
hg clone ssh://anon@hg.opensolaris.org/hg/onnv/onnv-gate
then look here:
onnv-gate/usr/src/OPENSOLARIS.LICENSE
onnv-gate/usr/src/cmd/krb5/kadmin/gui/native/Kadmin.c
onnv-gate/usr/src/cmd/krb5/kadmin/gui/native/Kadmin.java
for more on solaris,
http://opensolaris.org/os/project/onnv/
You will probably have to work out your own build procedure.

We didn't go with that for various reasons, but maybe it
can meet your needs.

					-Marcus Watts