Password quality pluggable interface

Merge branches/plugins2 to trunk.  Adds a password quality pluggable
interface described in this project page:

http://k5wiki.kerberos.org/wiki/Projects/Password_quality_pluggable_interface

ticket: 6765

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24284 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 65 insertions, 2 deletions

diff --git a/doc/admin.texinfo b/doc/admin.texinfo
index 5da912768d..fd1be4279e 100644
--- a/doc/admin.texinfo
+++ b/doc/admin.texinfo
@@ -410,6 +410,7 @@ salt.  The supported values for salts are as follows.
 * capaths::                     
 * dbdefaults::                  
 * dbmodules::                   
+* plugins::
 * pkinit client options::
 * Sample krb5.conf File::       
 @end menu
@@ -1042,7 +1043,7 @@ This LDAP specific tag indicates the list of LDAP servers that the Kerberos serv
 This LDAP specific tag indicates the number of connections to be maintained per LDAP server. This value is used if the number of connections per LDAP server are not mentioned in the configuration section under [dbmodules]. The default value is 5.
 @end table
 
-@node dbmodules, pkinit client options, dbdefaults, krb5.conf
+@node dbmodules, plugins, dbdefaults, krb5.conf
 @subsection [dbmodules]
 
 Contains database specific parameters used by the database library. Each tag in the [dbmodules] section of the file names a configuration section for database specific parameters that can be referred to by a realm. The value of the tag is a subsection where the relations in that subsection define the database specific parameters.
@@ -1090,7 +1091,65 @@ This LDAP specific tags indicates the number of connections to be maintained per
 
 @end table
 
-@node pkinit client options, Sample krb5.conf File, dbmodules, krb5.conf
+@node plugins, pkinit client options, dbmodules, krb5.conf
+
+@menu
+* pwqual interface::             
+@end menu
+
+Tags in the [plugins] section can be used to register dynamic plugin
+modules and to turn modules on and off.  Not every krb5 pluggable
+interface uses the [plugins] section; the ones that do are documented
+here.
+
+Each pluggable interface corresponds to a subsection of [plugins].
+All subsections support the same tags:
+
+@table @b
+@itemx module
+This tag may have multiple values.  Each value is a string of the form
+"modulename:pathname", which causes the shared object located at
+pathname to be registered as a dynamic module named modulename for the
+pluggable interface.  If pathname is not an absolute path, it will be
+treated as relative to the "krb5/plugins" subdirectory of the krb5
+library directory.
+
+@itemx enable_only
+This tag may have multiple values.  If there are values for this tag,
+then only the named modules will be enabled for the pluggable
+interface.
+
+@itemx disable
+This tag may have multiple values.  If there are values for this tag,
+then the named modules will be disabled for the pluggable interface.
+@end table
+
+The following subsections are currently supported within the [plugins]
+section:
+
+@node pwqual interface, , plugins, plugins
+
+The pwqual subsection controls modules for the password quality
+interface, which is used to reject weak passwords when passwords are
+changed.  In addition to any registered dynamic modules, the following
+built-in modules exist (and may be disabled with the disable tag):
+
+@table @b
+@itemx dict
+Checks against the realm dictionary file
+
+@itemx empty
+Rejects empty passwords
+
+@itemx hesiod
+Checks against user information stored in Hesiod (only if Kerberos was
+built with Hesiod support)
+
+@itemx princ
+Checks against components of the principal name
+@end table
+
+@node pkinit client options, Sample krb5.conf File, plugins, krb5.conf
 @subsection pkinit options
 
 @menu
diff --git a/doc/krb5conf.texinfo b/doc/krb5conf.texinfo
index 9114350619..0b4b2d4377 100644
--- a/doc/krb5conf.texinfo
+++ b/doc/krb5conf.texinfo
@@ -89,6 +89,10 @@ client to determine the intermediate realms which may be used in
 cross-realm authentication.  It is also used by the end-service when
 checking the transited field for trusted intermediate realms.
 
+@itemx plugins
+Contains tags to register dynamic plugin modules and to turn modules on
+and off.
+
 @ignore
 this doesn't seem to be used
 @itemx kdc