| < volnuke | Russ Allbery > Software | kftgt > |
In fact, now that I come to think of it, you can't really get a leopard to appreciate the notion that it *has* spots. You can explain it carefully to the leopard, but it will just sit there looking at you, knowing that you are made of meat. After a while it will perhaps kill you.
— Geoffrey K. Pullum
kadmin-remctl provides a remctl backend that implements basic Kerberos account administration functions (create, delete, enable, disable, reset password, examine) plus user password changes and a call to strength-check a given password. It can also provide similar management of instances and creation, deletion, and management of accounts in MIT Kerberos, Active Directory, and an AFS kaserver where appropriate. Also included is a client for privileged users to use for password resets and a simple client for password changes via the Kerberos password change protocol (mostly useful with Active Directory).
At Stanford, we are currently running three Kerberos realms: an MIT Kerberos v5 realm, an Active Directory realm, and an AFS kaserver Kerberos v4 realm. We also have middleware and web applications that support changing or resetting passwords, creating new accounts, examining principals, and enabling or disabling accounts based on affiliation changes. Rather than give all of these systems kadmin access (and force them to use kadmin clients, which is difficult since many are written in Java), and rather than forcing them to do realm synchronization themselves, we export an interface via remctl and use the Java remctl client to talk to that interface.
The remctl backend was originally developed by Roland Schemers in conjunction with a locally-patched Kerberos v4 kadmin client. Booker Bense wrote the code to talk to a Kerberos v5 kadmin client via Expect. I've since substantially rewritten it to merge those features and add additional code to propagate instance creation to Active Directory.
The kadmin backend is written in Perl and requires the Perl Expect module. It calls the Kerberos v5 kadmin and kpasswd programs and therefore requires that they be available. For integration with the AFS kaserver Kerberos v4 realm, it can also use kasetkey. The Kerberos v4 synchronization is disabled by default.
The kadmin backend can propagate instance creation and deletion to an Active Directory. To use this support, you will need the Perl Encode, MIME::Base64, and Text::Template modules. (Encode and MIME::Base64 come with Perl 5.8 and later.) You will also need k5start and the OpenLDAP binaries ldapadd, ldapdelete, and ldapmodify.
The passwd_change C client requires the C libremctl library be available to build (plus, obviously, a C compiler). It and ksetpass also requires a Kerberos library; either MIT Kerberos or Heimdal should be sufficiant (although currently the client will produce much better error messages using MIT Kerberos).
Finally, the backend is intended to be run under remctld and use remctl to handle authentication, privacy, and integrity.
The kadmin-remctl package as a whole is released under the following license:
Copyright 1997, 2003, 2007, 2008 Board of Trustees, Leland Stanford Jr. University. All rights reserved.
Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Stanford University not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Stanford University makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Some individual source files are covered by other, compatible licenses. For complete copyright and license information, see the file LICENSE in the wallet source distribution.
The distribution:
| kadmin-remctl 2.1 | 2008-04-25 | Download | PGP signature |
Documentation:
| < volnuke | Russ Allbery > Software | kftgt > |