| < krb5-strength | Russ Allbery > Software | kstart > |
The best of all rulers is but a shadowy presence to his subjects.
Next comes the ruler they love and praise;
Next comes the one they fear;
Next comes one with whom they take liberties.
When there is not enough faith, there is lack of good faith.
Hesitant, he does not utter words lightly.
When his task is accomplished and his work done
The people all say, "It happened to us naturally."Lao Tzu, Tao Te Chin (translated by D.C. Lau)
krb5-sync is a toolkit for updating passwords and account status from an MIT Kerberos master KDC to Active Directory and/or an AFS kaserver. It is implemented as a patch to kadmind and a plugin module that will push password changes and selected account flag changes to Active Directory or to a kaserver at the same time as they are made to the local KDC database. In addition to the plugin, a command-line utility is provided that can perform the same operations as the plugin.
This is not a simple software package. It should be considered more of a sample implementation which to base custom local modifications. As distributed, it makes a lot of assumptions to match what Stanford needs, and those assumptions are likely to be different for other sites. The provided patch is also specific to one release of MIT Kerberos and may not apply cleanly even to that release, so expect to have to make some changes to it.
This software was written by Derrick Brashear and Ken Hornstein of Sine Nomine Associates on behalf of Stanford University. I have since reorganized, updated, hacked, and otherwise modified it significantly. My long term goal is find a plugin API for kadmind that can be integrated into MIT Kerberos (and ideally Heimdal as well, although that's a lower priority) so that this package can provide only the loadable module.
For this software to work, you will need to patch the MIT Kerberos source and build a custom kadmind and libkadm5srv libraries. The patch will probably require modifications for the version that you use, and you should be comfortable building custom MIT Kerberos versions and applying patches before attempting this.
To build the account status update code, you will need OpenLDAP installed. To authenticate to Active Directory, you will also need Cyrus SASL installed including the Kerberos GSSAPI modules. The plugin or command-line utilities will need access to a keytab with administrative privileges in Active Directory, a srvtab with administrative privileges in the AFS kaserver, or both, depending on which synchronizations you intend to perform. To configure status updates, you will also need to know the server to which to do LDAP queries (generally, this is one of the Domain Controllers).
To build the AFS kaserver update code, you will need the AFS libraries available. This support is optional and not built by default. If it is requested, several of the static AFS libraries are required, so the AFS libraries must either be built PIC (using, for instance, the gcc -fPIC option) or you will need to be using a platform where non-PIC code can be linked into a dynamically loaded object. This will work on x86 Linux but not on x86_64 (AMD64) Linux, for instance.
This software has only been tested on Linux. There's no inherent reason why it shouldn't work on other platforms that support dlopen, but I've not even tried to compile it elsewhere.
The distribution:
| krb5-sync 1.2 | 2007-12-25 | Download | PGP signature |
An archive of older releases is also available.
Documentation:
The krb5-sync package as a whole is covered by the following license:
Copyright 2006, 2007 Board of Trustees, Leland Stanford Jr. University. All rights reserved.
Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Stanford University not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Stanford University makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Some individual source files are covered by other, compatible licenses. For complete copyright and license information, see the file LICENSE in the krb5-sync source distribution.
| < krb5-strength | Russ Allbery > Software | kstart > |