Codebase list krb5-sync / HEAD patches
HEAD

Tree @HEAD (Download .tar.gz) 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
The patches in this directory apply to Heimdal and add plugin support to
the kadmin libraries for performing actions before and after a password
change is committed to the KDC database and after a change is made to the
attributes of a principal (specifically, a change to DISALLOW_ALL_TIX).

No patch is required for MIT Kerberos 1.9 or later.  MIT Kerberos prior to
1.9 is not supported.

Currently, there is one patch available:

    heimdal-1.3.1       Built against stock Heimdal 1.3.1

More patches against other source trees may be provided in the future.
Please let me know if there is a specific version you wish to see a patch
for (and even better, let me know if you have a tested patch for a
different version).

This patch adds a hook_libraries configuration option to the [kadmin]
section of krb5.conf (or kdc.conf if you use that file) that must be set
to load the module.  That configuration option is in the form:

    [kadmin]
      hook_libraries = /usr/local/lib/krb5/plugins/kadm5_hook/krb5_sync.so

where the value is the full path to the plugin that you want to load.  If
this option is not present, kadmind will not load a plugin and the changes
from the patch will be inactive.  If this option is given and the plugin
cannot be loaded, kadmind startup will abort with a (hopefully useful)
error message in syslog.


Any plugin used with this patch must expose a public struct named
kadm5_hook.  That struct must contain the following:

    typedef struct kadm5_hook {
        const char *name;
        int version;
        const char *vendor;

        krb5_error_code (*init)(krb5_context, void **);
        void (*fini)(krb5_context, void *);

        krb5_error_code (*chpass)(krb5_context, void *, enum kadm5_hook_stage,
                                  krb5_principal, const char *);
        krb5_error_code (*create)(krb5_context, void *, enum kadm5_hook_stage,
                                  kadm5_principal_ent_t, uint32_t mask,
                                  const char *password);
        krb5_error_code (*modify)(krb5_context, void *, enum kadm5_hook_stage,
                                  kadm5_principal_ent_t, uint32_t mask);
    } kadm5_hook;

where enum kadm5_hook_stage is:

    enum kadm5_hook_stage {
        KADM5_HOOK_STAGE_PRECOMMIT,
        KADM5_HOOK_STAGE_POSTCOMMIT
    };

init creates a hook context that is passed into all subsequent calls.
chpass is called for password changes, create is called for principal
creation (with the newly-created principal in the kadm5_principal_ent_t
argument), and modify is called when a principal is modified.

These functions should follow the normal Kerberos calling convention of
returning 0 on success and a Kerberos error code on failure, setting the
Kerberos error message in the provided context.

-----

Copyright 2012, 2013
    The Board of Trustees of the Leland Stanford Junior University

Copying and distribution of this file, with or without modification, are
permitted in any medium without royalty provided the copyright notice and
this notice are preserved.  This file is offered as-is, without any
warranty.

History of patches @HEAD