Merge remaining changes from LDAP integration branch

svn+ssh://svn.mit.edu/krb5/branches/ldap-integ@18333.

* plugins/kdb/ldap: New directory.

* aclocal.m4 (WITH_LDAP): New macro.
(CONFIG_RULES): Invoke it.
* configure.in: Test ldap option, maybe configure and generate makefiles for
new directories, and set and substitute ldap_plugin_dir.
* Makefile.in (SUBDIRS): Add @ldap_plugin_dir@.

* kdc/krb5kdc.M, kadmin/server/kadmind.M, kadmin/cli/kadmin.M,
config-files/krb5.conf.M: Document LDAP changes (new options, config file
entries, etc).

* lib/kdb/kdb5.c (kdb_load_library): Put more info in error message.

* lib/kadm5/admin.h (KADM5_CPW_FUNCTION, KADM5_RANDKEY_USED,
KADM5_CONFIG_PASSWD_SERVER): New macros, disabled for now.
(struct _kadm5_config_params): New field kpasswd_server, commented out for now.
* lib/krb5/error_tables/kdb5_err.et: Add error codes KRB5_KDB_ACCESS_ERROR,
KRB5_KDB_INTERNAL_ERROR, KRB5_KDB_CONSTRAINT_VIOLATION.

ticket: 2935

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18334 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 81 insertions, 9 deletions

diff --git a/src/kadmin/cli/kadmin.M b/src/kadmin/cli/kadmin.M
index d9d6abda1..214d722ed 100644
--- a/src/kadmin/cli/kadmin.M
+++ b/src/kadmin/cli/kadmin.M
@@ -15,7 +15,7 @@ kadmin \- Kerberos V5 database administration program
 .B kadmin.local
 [\fB\-r\fP \fIrealm\fP] [\fB\-p\fP \fIprincipal\fP] [\fB\-q\fP \fIquery\fP]
 .br
-[\fB\-d\fP \fIdbname\fP] [\fB\-e \fI"enc:salt ..."\fP] [\fB-m\fP]
+[\fB\-d\fP \fIdbname\fP] [\fB\-e \fI"enc:salt ..."\fP] [\fB-m\fP] [\fB\-x\fP \fIdb_args\fP]
 .ad b
 .SH DESCRIPTION
 .B kadmin
@@ -28,8 +28,10 @@ and
 .B kadmin.local
 provide identical functionalities; the difference is that
 .B kadmin.local
-runs on the master KDC and does not use Kerberos to authenticate to the
-database.  Except as explicitly noted otherwise, this man page will use
+runs on the master KDC if the database is db2 and
+does not use Kerberos to authenticate to the
+database. Except as explicitly noted otherwise, 
+this man page will use
 .B kadmin
 to refer to both versions.
 .B kadmin
@@ -58,7 +60,7 @@ has determined the principal name, it requests a
 Kerberos service ticket from the KDC, and uses that service ticket to
 authenticate to KADM5.
 .PP
-The local client
+If the database is db2, the local client
 .BR kadmin.local ,
 is intended to run directly on the master KDC without Kerberos
 authentication.  The local version provides all of the functionality of
@@ -68,6 +70,7 @@ except for database dump and load, which is now provided by the
 .IR kdb5_util (8)
 utility.
 .PP
+If the database is LDAP, kadmin.local need not be run on the KDC. 
 .SH OPTIONS
 .TP
 \fB\-r\fP \fIrealm\fP
@@ -130,6 +133,7 @@ and then exit.  This can be useful for writing scripts.
 .TP
 \fB\-d\fP \fIdbname\fP
 Specifies the name of the Kerberos database.
+This option does not apply to the LDAP database.
 .TP
 \fB\-s\fP \fIadmin_server[:port]\fP
 Specifies the admin server which kadmin should contact.
@@ -147,6 +151,31 @@ Force use of old AUTH_GSSAPI authentication flavor.
 .TP
 .B \-N
 Prevent fallback to AUTH_GSSAPI authentication flavor.
+.TP
+\fB\-x\fP \fIdb_args\fP
+Specifies the database specific arguments.
+
+Options supported for LDAP database are:
+.sp 
+.nf 
+.RS 14
+\-x port=<port_number>
+specifies the secure port number where the LDAP server is listening.
+
+\-x host=<hostname>
+specifies the host on which the LDAP server is running.
+The <hostname> should be the same as the host name set in the LDAP server certificate.
+
+\-x binddn=<bind_dn>
+specifies the DN of the object used by the administration server to bind to the LDAP server.
+This object should have the read rights on the realm container and write rights on the subtree
+that is referenced by the realm.
+
+\-x bindpwd=<bind_password>
+specifies the password for the above mentioned binddn. It is recommended not to use this option.
+Instead, the password can be stashed using the stashsrvpw command of kdb5_ldap_util.
+.RE
+.fi
 .SH DATE FORMAT 
 Various commands in kadmin can take a variety of date formats,
 specifying durations or absolute times.  Examples of valid formats are:
@@ -195,6 +224,23 @@ and
 The options are:
 .RS
 .TP
+\fB\-x\fP \fIdb_princ_args\fP
+Denotes the database specific options. The options for LDAP database are:
+.sp 
+.nf 
+.RS
+\-x userdn=<user_dn>
+Specifies the user object with which the Kerberos user principal is to be associated.
+
+\-x containerdn=<container_dn>
+Specifies the container object under which the Kerberos service principal is to be created. 
+
+\-x tktpolicydn=<policydn>
+Associates a ticket policy object to the Kerberos principal.
+
+.RE
+.fi
+.TP
 \fB\-expire\fP \fIexpdate\fP
 expiration date of the principal
 .TP
@@ -365,6 +411,15 @@ Enter password for principal tlyu/admin@BLEEP.COM:
 Re-enter password for principal tlyu/admin@BLEEP.COM:
 Principal "tlyu/admin@BLEEP.COM" created.
 kadmin:
+
+kadmin: addprinc -x userdn=cn=mwm_user,o=org mwm_user
+WARNING: no policy specified for "mwm_user@BLEEP.COM";
+defaulting to no policy.
+Enter password for principal mwm_user@BLEEP.COM: 
+Re-enter password for principal mwm_user@BLEEP.COM: 
+Principal "mwm_user@BLEEP.COM" created.
+kadmin:
+
 .TP
 ERRORS:
 KADM5_AUTH_ADD (requires "add" privilege)
@@ -383,7 +438,7 @@ option is given. This command requires the
 .I delete
 privilege.  Aliased
 to
-.BR delprinc .
+.BR delprinc.
 .sp
 .nf
 .RS
@@ -414,10 +469,18 @@ will clear the current policy of a principal.  This command requires the
 .I modify
 privilege.  Aliased to
 .BR modprinc .
-.sp
-.nf
 .RS
 .TP
+\fB\-x\fP \fIdb_princ_args\fP
+Denotes the database specific options. The options for LDAP database are:
+.sp 
+.nf 
+.RS
+\-x tktpolicydn=<policydn>
+Associates a ticket policy object to the Kerberos principal.
+.RE
+.fi
+.TP
 ERRORS:
 KADM5_AUTH_MODIFY (requires "modify" privilege)
 KADM5_UNK_PRINC (principal does not exist)
@@ -457,7 +520,7 @@ daemons earlier than krb5\-1.2.
 Keeps the previous kvno's keys around.  There is no
 easy way to delete the old keys, and this flag is usually not
 necessary except perhaps for TGS keys.  Don't use this flag unless you
-know what you're doing.
+know what you're doing. This option is not supported for the LDAP database.
 .nf
 .TP
 EXAMPLE:
@@ -569,10 +632,14 @@ sets the minimum length of a password
 sets the minimum number of character classes allowed in a password
 .TP
 \fB\-history\fP \fInumber\fP
-sets the number of past keys kept for a principal
+sets the number of past keys kept for a principal. This option is not supported for LDAP database
 .sp
 .nf
 .TP
+EXAMPLES:
+kadmin: add_policy -maxlife "2 days" -minlength 5 cn=guests,o=org
+kadmin:
+.TP
 ERRORS:
 KADM5_AUTH_ADD (requires the add privilege)
 KADM5_DUP (policy already exists)
@@ -678,6 +745,8 @@ kadmin:
 .RE
 .fi
 .TP
+Note: All the policy names are in the form of DN for LDAP database.
+.TP
 \fBktadd\fP [\fB\-k\fP \fIkeytab\fP] [\fB\-q\fP] [\fB\-e\fP \fIkeysaltlist\fP]
 .br
 [\fIprincipal\fP | \fB\-glob\fP \fIprinc-exp\fP] [\fI...\fP]
@@ -762,6 +831,9 @@ will exit with an error if this file does
 .I not
 exist.
 .TP
+.B Note:
+The above three files are specific to db2 database.
+.TP 
 kadm5.acl
 file containing list of principals and their
 .B kadmin