1. 16 Jan, 2016 1 commit
  2. 04 Jan, 2016 1 commit
    • Russ Allbery's avatar
      Add Wallet::ACL::External ACL type · 23a6b180
      Russ Allbery authored
      A new ACL type, external (Wallet::ACL::External), is now supported.
      This ACL runs an external command to check if access is allowed, and
      passes the principal and the ACL identifier to that command.  To
      enable this ACL type for an existing wallet database, use wallet-admin
      to register the new verifier.
      
      Change-Id: I21b72b4373eefc92985aca1505e2d1a1ec699602
      23a6b180
  3. 08 Jun, 2015 2 commits
    • Jon Robertson's avatar
      wallet-report: Added report of all host-based objects for host · 45a7c9d2
      Jon Robertson authored
      "wallet-report objects host <hostname>" reports on all objects that
      belong to the given host.  This can be used to query things for retiring
      systems.
      
      Change-Id: Ib1c8e5978fed141d54ecc8504b56b43c037f9b17
      45a7c9d2
    • Jon Robertson's avatar
      Added a new password object type · 55875aa0
      Jon Robertson authored
      The password type inherits almost everything from the file object, but
      if you try to get a password object that has never been stored, we
      generate a random string to put in the object rather than just
      erroring out.  The maximum and minimum length of the string can be set
      in the wallet config.
      
      If a password object was stored earlier and then cleared out, we don't
      generate another random string.
      
      Change-Id: I17a65ca7dac9d4430e8a731f417297890ee612bb
      55875aa0
  4. 09 Oct, 2014 1 commit
  5. 12 Jul, 2014 4 commits
  6. 13 Apr, 2014 1 commit
  7. 28 May, 2013 1 commit
  8. 28 Feb, 2013 1 commit
  9. 14 Feb, 2013 1 commit
  10. 31 Jan, 2013 1 commit
  11. 16 Jan, 2013 1 commit
  12. 30 Aug, 2012 1 commit
  13. 08 Aug, 2012 1 commit
  14. 04 Apr, 2012 1 commit
    • Russ Allbery's avatar
      Add initial LDAP attribute ACL verifier · f1eab726
      Russ Allbery authored
      A new ACL type, ldap-attr (Wallet::ACL::LDAP::Attribute), is now
      supported.  This ACL type grants access if the LDAP entry
      corresponding to the principal contains the attribute name and value
      specified in the ACL.  The Net::LDAP and Authen::SASL Perl modules are
      required to use this ACL type.  New configuration settings are
      required as well; see Wallet::Config for more information.  To enable
      this ACL type for an existing wallet database, use wallet-admin to
      register the new verifier.
      f1eab726
  15. 08 Mar, 2010 1 commit
  16. 06 Mar, 2010 1 commit
    • Russ Allbery's avatar
      Allow naming policy enforcement for ACL names · fd7f47ed
      Russ Allbery authored
      Wallet::Config now supports an additional local function,
      verify_acl_name, which can be used to enforce ACL naming policies.  If
      set, it is called for any ACL creation or rename and can reject the
      new ACL name.
      fd7f47ed
  17. 04 Mar, 2010 2 commits
    • Russ Allbery's avatar
      Use L<> links instead of man page references for modules · acc73c98
      Russ Allbery authored
      Do this only in the main text, not in the SEE ALSO section, since the
      latter is more for conventional man pages.  This will produce better
      results for some POD to HTML converters (although not mine, yet).
      acc73c98
    • Russ Allbery's avatar
      Add auditing for names that violate the naming policy · a131c767
      Russ Allbery authored
      Add an audit command to wallet-report and one audit: objects name,
      which returns all objects that do not pass the local naming policy.
      The corresponding Wallet::Report method is audit().
      
      Wallet::Config::verify_name may now be called with an undefined third
      argument (normally the user attempting to create an object).  This
      calling convention is used when auditing, and the local policy
      function should select the correct policy to apply for useful audit
      results.
      a131c767
  18. 19 Feb, 2010 1 commit
    • Russ Allbery's avatar
      Support unchanging keytabs with Heimdal without remctl · a24d3ac3
      Russ Allbery authored
      Heimdal supports retrieving a keytab containing the existing keys over
      the kadmin protocol.  Move the support for using remctl to retrieve an
      existing keytab into Wallet::Kadmin::MIT and provide two separate
      methods in the Wallet::Kadmin interface: one which rekeys and one which
      doesn't.  Implement the non-rekeying interface for Heimdal.  Expand the
      test suite for the unchanging keytabs to include tests for the Heimdal
      method.
      a24d3ac3
  19. 10 Feb, 2010 1 commit
    • Russ Allbery's avatar
      Check spelling of server API POD and tweak server docs · ae02de14
      Russ Allbery authored
      Also update the POD syntax check to the current version of that check
      I use elsewhere.  Since I'm touching all the POD anyway, also rewrap
      all of the POD to 74 columns.  Fix some references to MIT in the
      Wallet::Kadmin::Heimdal module documentation.
      ae02de14
  20. 09 Feb, 2010 2 commits
    • Russ Allbery's avatar
      Document and make case-insensitive KEYTAB_KRBTYPE · b0377701
      Russ Allbery authored
      KEYTAB_KRBTYPE wasn't documented in Wallet::Config.  Add it and the
      variable declaration.  Also document the new mandatory setting in
      NEWS and add the Heimdal::Kadm5 requirement to README.  Remove some
      of the language in README that implies that only MIT Kerberos is
      supported.
      
      Make the setting case-insensitive and improve the error message from
      Wallet::Kadmin if it isn't set.
      b0377701
    • Russ Allbery's avatar
      Remove kaserver synchronization support from the wallet backend · 59455fd5
      Russ Allbery authored
      Remove kaserver synchronization support.  It is no longer tested, and
      retaining the code was increasing the complexity of wallet, and some
      specific requirements (such as different realm names between kaserver
      and Kerberos v5 and the kvno handling) were Stanford-specific.  Rather
      than using this support, AFS sites running kaserver will probably find
      deploying Heimdal with its internal kaserver compatibility is probably
      an easier transition approach.
      59455fd5
  21. 09 Jun, 2009 1 commit
  22. 09 Feb, 2008 1 commit
  23. 08 Feb, 2008 1 commit
  24. 17 Jan, 2008 1 commit
  25. 01 Dec, 2007 1 commit
  26. 20 Nov, 2007 1 commit
  27. 15 Nov, 2007 1 commit
  28. 05 Oct, 2007 1 commit
  29. 26 Sep, 2007 1 commit
  30. 25 Sep, 2007 1 commit
    • Russ Allbery's avatar
      Add support for synchronizing a key with an AFS kaserver in the keytab · 766ba929
      Russ Allbery authored
      object implementation, extracting the DES key with Authen::Krb5 (since
      ktutil doesn't work).
      
      Rename the KEYTAB_CACHE variable to KEYTAB_REMCTL_CACHE to match the
      rest of the keytab retrieval configuration and reorganize the
      Wallet::Config documentation to group related configuration options for
      the keytab backend.
      
      Fix a column name in the keytab_enctypes table to be more consistent
      with the rest of the schema.
      766ba929
  31. 19 Sep, 2007 1 commit
  32. 31 Aug, 2007 1 commit
  33. 29 Aug, 2007 2 commits