| < krb5-strength | Russ Allbery > Software | kstart > |
The best of all rulers is but a shadowy presence to his subjects.
Next comes the ruler they love and praise;
Next comes the one they fear;
Next comes one with whom they take liberties.
When there is not enough faith, there is lack of good faith.
Hesitant, he does not utter words lightly.
When his task is accomplished and his work done
The people all say, "It happened to us naturally."Lao Tzu, Tao Te Chin (translated by D.C. Lau)
krb5-sync is a toolkit for updating passwords and account status from a Heimdal or MIT Kerberos master KDC to Active Directory. It is implemented as a patch to libkadm5srv and a plugin module that will push password changes and selected account flag changes to Active Directory at the same time as they are made to the local KDC database. In addition to the plugin, a command-line utility is provided that can perform the same operations as the plugin.
This is not a simple software package. It should be considered more of a sample implementation which to base custom local modifications. As distributed, it makes a lot of assumptions to match what Stanford needs, and those assumptions are likely to be different for other sites. The provided patch is also specific to one release of Heimdal and of MIT Kerberos and may not apply cleanly even to that release, so expect to have to make some changes to it.
This software was written by Derrick Brashear and Ken Hornstein of Sine Nomine Associates on behalf of Stanford University. I have since reorganized, updated, hacked, and otherwise modified it significantly. My long term goal is find a plugin API for kadmind that can be integrated into Heimdal and MIT Kerberos so that this package can provide only the loadable module.
For this software to work, you will need to patch the Heimdal or MIT Kerberos source and build a custom kadmind and libkadm5srv libraries. The patch will probably require modifications for the version that you use, and you should be comfortable building custom Heimdal or MIT Kerberos versions and applying patches before attempting this.
To build the account status update code, you will need OpenLDAP installed. To authenticate to Active Directory, you will also need Cyrus SASL installed including the Kerberos GSSAPI modules. The plugin or command-line utilities will need access to a keytab with administrative privileges in Active Directory. To configure status updates, you will also need to know the server to which to do LDAP queries (generally, this is one of the Domain Controllers).
This software has only been tested on Linux. There's no inherent reason why it shouldn't work on other platforms that support dlopen, but I've not even tried to compile it elsewhere.
The distribution:
| krb5-sync 2.1 | 2010-08-27 | Download | PGP signature |
An archive of older releases is also available.
krb5-sync is maintained using the Git version control system. To check out the current development tree, clone:
git://git.eyrie.org/kerberos/krb5-sync.git
You can also browse the current development source.
User documentation:
Developer documentation:
The krb5-sync package as a whole is covered by the following license:
Copyright 2006, 2007, 2008, 2010 Board of Trustees, Leland Stanford Jr. University. All rights reserved.
Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Stanford University not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Stanford University makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Some individual source files are covered by other, compatible licenses. For complete copyright and license information, see the file LICENSE in the krb5-sync source distribution.
| < krb5-strength | Russ Allbery > Software | kstart > |