kadmin-remctl

In fact, now that I come to think of it, you can't really get a leopard to appreciate the notion that it *has* spots. You can explain it carefully to the leopard, but it will just sit there looking at you, knowing that you are made of meat. After a while it will perhaps kill you.

— Geoffrey K. Pullum

Description

At Stanford, we are currently running two Kerberos realms: a Heimdal Kerberos realm and an Active Directory realm. We previously also had an AFS kaserver Kerberos v4 realm. We also have middleware and web applications that support changing or resetting passwords, creating new accounts, examining principals, and enabling or disabling accounts based on affiliation changes. Rather than give all of these systems kadmin access (and force them to use kadmin clients, which is difficult since many are written in Java), and rather than forcing them to do realm synchronization themselves, we export an interface via remctl and use the Java remctl client to talk to that interface.

This package includes the kadmin backend, a Perl script that supports creating, deleting, enabling, and disabling accounts, changing or resetting passwords, and checking password strength. This script does synchronization to Active Directory and an AFS kaserver Kerberos v4 realm as well where appropriate. It also includes ksetpass, a simple client for changing passwords via the Kerberos password change protocol that doesn't prompt for the existing password like kpasswd. This client is used to set passwords in Active Directory.

Also included in this package is a C client for use by privileged users when changing passwords for others. This client searches for the user in a password file first to present the full name for verification, and then obtains special credentials for a designated principal and then contacts a remctl server on a non-standard port to issue a change password command. This is done on a non-standard port so that it can use a different principal for authentication than the regular host principal normally used by remctl and require that the privileged user reauthenticate before using this service.

Some aspects of this package are very Stanford-specific, most notably some of the namespace constraints on principals and the sometimes-bizarre formatting of the output from this script (which is for compatibility with the legacy APIs used at Stanford). It is probably not suitable for using at other sites without modifications, but may provide ideas for how to do something similar for another site.

The remctl backend was originally developed by Roland Schemers in conjunction with a locally-patched Kerberos v4 kadmin client. Booker Bense wrote the code to talk to a Kerberos v5 kadmin client via Expect. I've since substantially rewritten it to merge those features and add additional code to propagate instance creation to Active Directory. Jon Robertson ported the MIT Kerberos code to Heimdal using Heimdal::Kadm5.

The AFS kaserver support is frozen and no longer tested since Stanford no longer runs an AFS kaserver realm. It may be removed in a future release if the code is significantly restructured.

Requirements

The kadmin backend is written in Perl and requires the Perl Expect module. The Heimdal version also requires the IPC::run module. The MIT version (kadmin-backend) calls the Kerberos kadmin and kpasswd programs and therefore requires that they be available. The Heimdal version similarly requires kpasswd, but uses the Perl module Heimdal::Kadm5 for kadmin operations and requires it be installed. For integration with the AFS kaserver Kerberos v4 realm, it uses kasetkey (only available in old releases of wallet). The Kerberos v4 synchronization is disabled by default.

The kadmin backend can propagate instance creation and deletion to an Active Directory. To use this support, you will need the Perl Encode, MIME::Base64, and Text::Template modules. (Encode and MIME::Base64 come with Perl 5.8 and later.) You will also need k5start and the OpenLDAP binaries ldapadd, ldapdelete, and ldapmodify.

The passwd_change C client requires the C libremctl library be available to build (plus, obviously, a C compiler). It and ksetpass also require a Kerberos library; either MIT Kerberos or Heimdal should be sufficient.

Finally, the backend is intended to be run under remctld and use remctl to handle authentication, privacy, and integrity.

To bootstrap from a Git checkout, or if you change the Automake files and need to regenerate Makefile.in, you will need Automake 1.11 or later. For bootstrap or if you change configure.ac or any of the m4 files it includes and need to regenerate configure or config.h.in, you will need Autoconf 2.64 or later. Perl is also required to generate the manual pages from a fresh Git checkout.

Download

The distribution:

kadmin-remctl 3.6 2014-01-15 tar.gz (PGP signature) tar.xz (PGP signature)

An archive of older releases is also available.

A Debian package is available from my personal repository.

kadmin-remctl is maintained using the Git version control system. To check out the current development tree, clone:

    git://git.eyrie.org/kerberos/kadmin-remctl.git

You can also browse the current development source.

Documentation

User documentation:

Developer documentation:

License

The kadmin-remctl package as a whole is released under the following license:

Copyright 1997, 2003, 2007, 2008, 2009, 2010, 2011, 2013, 2014 The Board of Trustees of the Leland Stanford Junior University

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Some individual source files are covered by other, compatible licenses. For complete copyright and license information, see the file LICENSE in the kadmin-remctl source distribution.

Last modified and spun 2014-08-10