diff options
| author | Greg Hudson <ghudson@mit.edu> | 2014-01-26 18:11:56 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2014-02-20 20:45:55 -0500 |
| commit | 2ed8ebf18809af66aeaa2af6984754bdbefff500 (patch) | |
| tree | 506104751ebe5fc8d21429f541a797e124152292 | |
| parent | 406c83c835a8ce062d798a2ec4eda2eddd088450 (diff) | |
| download | krb5-2ed8ebf18809af66aeaa2af6984754bdbefff500.tar.gz krb5-2ed8ebf18809af66aeaa2af6984754bdbefff500.tar.xz krb5-2ed8ebf18809af66aeaa2af6984754bdbefff500.zip | |
Implement kadmind -proponly
The -proponly option causes kadmind to only service the iprop service,
not the kpasswd or kadmin services. An intermediate slave in a
hierarchical iprop setup runs kadmind -proponly in order to provide
incremental updates to downstream slaves.
Based on code submitted by Richard Basch.
ticket: 7855
| -rw-r--r-- | doc/admin/admin_commands/kadmind.rst | 7 | ||||
| -rw-r--r-- | src/kadmin/server/ovsec_kadmd.c | 37 |
2 files changed, 29 insertions, 15 deletions
diff --git a/doc/admin/admin_commands/kadmind.rst b/doc/admin/admin_commands/kadmind.rst index 09efd22e56..c863fc951d 100644 --- a/doc/admin/admin_commands/kadmind.rst +++ b/doc/admin/admin_commands/kadmind.rst @@ -11,6 +11,7 @@ SYNOPSIS [**-r** *realm*] [**-m**] [**-nofork**] +[**-proponly**] [**-port** *port-number*] [**-P** *pid_file*] [**-p** *kdb5_util_path*] @@ -74,6 +75,12 @@ OPTIONS associated to the terminal. In normal operation, you should allow the server to place itself in the background. +**-proponly** + causes the server to only listen and respond to Kerberos slave + incremental propagation polling requests. This option can be used + to set up a hierarchical propagation topology where a slave KDC + provides incremental updates to other Kerberos slaves. + **-port** *port-number* specifies the port on which the administration server listens for connections. The default port is determined by the diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c index e9cca8a618..bc9e3c7e0d 100644 --- a/src/kadmin/server/ovsec_kadmd.c +++ b/src/kadmin/server/ovsec_kadmd.c @@ -84,7 +84,7 @@ usage() { fprintf(stderr, _("Usage: kadmind [-x db_args]* [-r realm] [-m] [-nofork] " "[-port port-number]\n" - "\t\t[-p path-to-kdb5_util] [-F dump-file]\n" + "\t\t[-proponly] [-p path-to-kdb5_util] [-F dump-file]\n" "\t\t[-K path-to-kprop] [-P pid_file]\n" "\nwhere,\n\t[-x db_args]* - any number of database " "specific arguments.\n" @@ -133,9 +133,10 @@ write_pid_file(const char *pid_file) return st1 ? st1 : st2; } -/* Set up the main loop. May set *ctx_out even on error. */ +/* Set up the main loop. If proponly is set, don't set up ports for kpasswd or + * kadmin. May set *ctx_out even on error. */ static krb5_error_code -setup_loop(verto_ctx **ctx_out) +setup_loop(int proponly, verto_ctx **ctx_out) { krb5_error_code ret; verto_ctx *ctx; @@ -147,16 +148,18 @@ setup_loop(verto_ctx **ctx_out) ret = loop_setup_signals(ctx, global_server_handle, NULL); if (ret) return ret; - ret = loop_add_udp_port(handle->params.kpasswd_port); - if (ret) - return ret; - ret = loop_add_tcp_port(handle->params.kpasswd_port); - if (ret) - return ret; - ret = loop_add_rpc_service(handle->params.kadmind_port, KADM, KADMVERS, - kadm_1); - if (ret) - return ret; + if (!proponly) { + ret = loop_add_udp_port(handle->params.kpasswd_port); + if (ret) + return ret; + ret = loop_add_tcp_port(handle->params.kpasswd_port); + if (ret) + return ret; + ret = loop_add_rpc_service(handle->params.kadmind_port, KADM, KADMVERS, + kadm_1); + if (ret) + return ret; + } #ifndef DISABLE_IPROP if (handle->params.iprop_enabled) { ret = loop_add_rpc_service(handle->params.iprop_port, KRB5_IPROP_PROG, @@ -348,7 +351,7 @@ main(int argc, char *argv[]) verto_ctx *vctx; const char *pid_file = NULL; char **db_args = NULL, **tmpargs; - int ret, i, db_args_size = 0, strong_random = 1; + int ret, i, db_args_size = 0, strong_random = 1, proponly = 0; setlocale(LC_ALL, ""); setvbuf(stderr, NULL, _IONBF, 0); @@ -395,6 +398,10 @@ main(int argc, char *argv[]) } else if (strcmp(*argv, "-passwordserver") == 0) { kadm5_set_use_password_server(); #endif +#ifndef DISABLE_IPROP + } else if (strcmp(*argv, "-proponly") == 0) { + proponly = 1; +#endif } else if (strcmp(*argv, "-port") == 0) { argc--, argv++; if (!argc) @@ -455,7 +462,7 @@ main(int argc, char *argv[]) if (!(params.mask & KADM5_CONFIG_ACL_FILE)) fail_to_start(0, _("Missing required ACL file configuration")); - ret = setup_loop(&vctx); + ret = setup_loop(proponly, &vctx); if (ret) fail_to_start(ret, _("initializing network")); |