From 2ed8ebf18809af66aeaa2af6984754bdbefff500 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 26 Jan 2014 18:11:56 -0500
Subject: Implement kadmind -proponly

The -proponly option causes kadmind to only service the iprop service,
not the kpasswd or kadmin services.  An intermediate slave in a
hierarchical iprop setup runs kadmind -proponly in order to provide
incremental updates to downstream slaves.

Based on code submitted by Richard Basch.

ticket: 7855
---
 doc/admin/admin_commands/kadmind.rst |  7 +++++++
 src/kadmin/server/ovsec_kadmd.c      | 37 +++++++++++++++++++++---------------
 2 files changed, 29 insertions(+), 15 deletions(-)

diff --git a/doc/admin/admin_commands/kadmind.rst b/doc/admin/admin_commands/kadmind.rst
index 09efd22e56..c863fc951d 100644
--- a/doc/admin/admin_commands/kadmind.rst
+++ b/doc/admin/admin_commands/kadmind.rst
@@ -11,6 +11,7 @@ SYNOPSIS
 [**-r** *realm*]
 [**-m**]
 [**-nofork**]
+[**-proponly**]
 [**-port** *port-number*]
 [**-P** *pid_file*]
 [**-p** *kdb5_util_path*]
@@ -74,6 +75,12 @@ OPTIONS
     associated to the terminal.  In normal operation, you should allow
     the server to place itself in the background.
 
+**-proponly**
+    causes the server to only listen and respond to Kerberos slave
+    incremental propagation polling requests.  This option can be used
+    to set up a hierarchical propagation topology where a slave KDC
+    provides incremental updates to other Kerberos slaves.
+
 **-port** *port-number*
     specifies the port on which the administration server listens for
     connections.  The default port is determined by the
diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c
index e9cca8a618..bc9e3c7e0d 100644
--- a/src/kadmin/server/ovsec_kadmd.c
+++ b/src/kadmin/server/ovsec_kadmd.c
@@ -84,7 +84,7 @@ usage()
 {
     fprintf(stderr, _("Usage: kadmind [-x db_args]* [-r realm] [-m] [-nofork] "
                       "[-port port-number]\n"
-                      "\t\t[-p path-to-kdb5_util] [-F dump-file]\n"
+                      "\t\t[-proponly] [-p path-to-kdb5_util] [-F dump-file]\n"
                       "\t\t[-K path-to-kprop] [-P pid_file]\n"
                       "\nwhere,\n\t[-x db_args]* - any number of database "
                       "specific arguments.\n"
@@ -133,9 +133,10 @@ write_pid_file(const char *pid_file)
     return st1 ? st1 : st2;
 }
 
-/* Set up the main loop.  May set *ctx_out even on error. */
+/* Set up the main loop.  If proponly is set, don't set up ports for kpasswd or
+ * kadmin.  May set *ctx_out even on error. */
 static krb5_error_code
-setup_loop(verto_ctx **ctx_out)
+setup_loop(int proponly, verto_ctx **ctx_out)
 {
     krb5_error_code ret;
     verto_ctx *ctx;
@@ -147,16 +148,18 @@ setup_loop(verto_ctx **ctx_out)
     ret = loop_setup_signals(ctx, global_server_handle, NULL);
     if (ret)
         return ret;
-    ret = loop_add_udp_port(handle->params.kpasswd_port);
-    if (ret)
-        return ret;
-    ret = loop_add_tcp_port(handle->params.kpasswd_port);
-    if (ret)
-        return ret;
-    ret = loop_add_rpc_service(handle->params.kadmind_port, KADM, KADMVERS,
-                               kadm_1);
-    if (ret)
-        return ret;
+    if (!proponly) {
+        ret = loop_add_udp_port(handle->params.kpasswd_port);
+        if (ret)
+            return ret;
+        ret = loop_add_tcp_port(handle->params.kpasswd_port);
+        if (ret)
+            return ret;
+        ret = loop_add_rpc_service(handle->params.kadmind_port, KADM, KADMVERS,
+                                   kadm_1);
+        if (ret)
+            return ret;
+    }
 #ifndef DISABLE_IPROP
     if (handle->params.iprop_enabled) {
         ret = loop_add_rpc_service(handle->params.iprop_port, KRB5_IPROP_PROG,
@@ -348,7 +351,7 @@ main(int argc, char *argv[])
     verto_ctx *vctx;
     const char *pid_file = NULL;
     char **db_args = NULL, **tmpargs;
-    int ret, i, db_args_size = 0, strong_random = 1;
+    int ret, i, db_args_size = 0, strong_random = 1, proponly = 0;
 
     setlocale(LC_ALL, "");
     setvbuf(stderr, NULL, _IONBF, 0);
@@ -394,6 +397,10 @@ main(int argc, char *argv[])
 #ifdef USE_PASSWORD_SERVER
         } else if (strcmp(*argv, "-passwordserver") == 0) {
             kadm5_set_use_password_server();
+#endif
+#ifndef DISABLE_IPROP
+        } else if (strcmp(*argv, "-proponly") == 0) {
+            proponly = 1;
 #endif
         } else if (strcmp(*argv, "-port") == 0) {
             argc--, argv++;
@@ -455,7 +462,7 @@ main(int argc, char *argv[])
     if (!(params.mask & KADM5_CONFIG_ACL_FILE))
         fail_to_start(0, _("Missing required ACL file configuration"));
 
-    ret = setup_loop(&vctx);
+    ret = setup_loop(proponly, &vctx);
     if (ret)
         fail_to_start(ret, _("initializing network"));
 
-- 
cgit