summaryrefslogtreecommitdiffstats
path: root/third_party/heimdal/lib/kadm5/iprop.8
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/heimdal/lib/kadm5/iprop.8')
-rw-r--r--third_party/heimdal/lib/kadm5/iprop.8208
1 files changed, 208 insertions, 0 deletions
diff --git a/third_party/heimdal/lib/kadm5/iprop.8 b/third_party/heimdal/lib/kadm5/iprop.8
new file mode 100644
index 0000000..b881c44
--- /dev/null
+++ b/third_party/heimdal/lib/kadm5/iprop.8
@@ -0,0 +1,208 @@
+.\" $Id$
+.\"
+.\" Copyright (c) 2005 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\" may be used to endorse or promote products derived from this software
+.\" without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd May 24, 2005
+.Dt IPROP 8
+.Os
+.Sh NAME
+.Nm iprop ,
+.Nm ipropd-master ,
+.Nm ipropd-slave
+.Nd propagate transactions from a Heimdal Kerberos master KDC to slave KDCs
+.Sh SYNOPSIS
+.Nm ipropd-master
+.Oo Fl c Ar string \*(Ba Xo
+.Fl Fl config-file= Ns Ar string
+.Xc
+.Oc
+.Oo Fl r Ar string \*(Ba Xo
+.Fl Fl realm= Ns Ar string
+.Xc
+.Oc
+.Oo Fl k Ar kspec \*(Ba Xo
+.Fl Fl keytab= Ns Ar kspec
+.Xc
+.Oc
+.Oo Fl d Ar file \*(Ba Xo
+.Fl Fl database= Ns Ar file
+.Xc
+.Oc
+.Op Fl Fl slave-stats-file= Ns Ar file
+.Op Fl Fl time-missing= Ns Ar time
+.Op Fl Fl time-gone= Ns Ar time
+.Op Fl Fl detach
+.Op Fl Fl version
+.Op Fl Fl help
+.Nm ipropd-slave
+.Oo Fl c Ar string \*(Ba Xo Fl Fl config-file= Ns Ar string Xc Oc
+.Oo Fl r Ar string \*(Ba Xo Fl Fl realm= Ns Ar string Xc Oc
+.Oo Fl d Ar file \*(Ba Xo Fl Fl database= Ns Ar file Xc Oc
+.Oo Fl k Ar kspec \*(Ba Xo Fl Fl keytab= Ns Ar kspec Xc Oc
+.Op Fl Fl statusfile= Ns Ar file
+.Op Fl Fl hostname= Ns Ar hostname
+.Op Fl Fl port= Ns Ar port
+.Op Fl Fl time-lost= Ns Ar time
+.Op Fl Fl async-hdb
+.Op Fl Fl detach
+.Op Fl Fl version
+.Op Fl Fl help
+.Ar master
+.Sh DESCRIPTION
+.Nm ipropd-master
+is used to propagate changes to a Heimdal Kerberos database from the
+master Kerberos server on which it runs to slave Kerberos servers
+running
+.Nm ipropd-slave .
+.Pp
+The slaves are specified by the contents of the
+.Pa slaves
+file in the KDC's database directory, e.g.\&
+.Pa /var/heimdal/slaves .
+This has principals one per-line of the form
+.Dl iprop/ Ns Ar slave Ns @ Ns Ar REALM
+where
+.Ar slave
+is the hostname of the slave server in the given
+.Ar REALM ,
+e.g.\&
+.Dl iprop/kerberos-1.example.com@EXAMPLE.COM
+On a slave, the argument
+.Fa master
+specifies the hostname of the master server from which to receive updates.
+.Pp
+In contrast to
+.Xr hprop 8 ,
+which sends the whole database to the slaves regularly,
+.Nm
+normally sends only the changes as they happen on the master.
+The master keeps track of all the changes by assigning a version
+number to every transaction to the database.
+The slaves know which was the latest version they saw, and in this
+way it can be determined if they are in sync or not.
+A log of all the transactions is kept on the master.
+When a slave is at an older version than the oldest one in the log,
+the whole database has to be sent.
+.Pp
+The log of transactions is also used to implement a two-phase commit
+(with roll-forward for recovery) method of updating the HDB.
+Transactions are first recorded in the log, then in the HDB, then
+the log is updated to mark the transaction as committed.
+.Pp
+The changes are propagated over a secure channel (on port 2121 by
+default).
+This should normally be defined as
+.Dq iprop/tcp
+in
+.Pa /etc/services
+or another source of the services database.
+The master and slaves
+must each have access to a keytab with keys for the
+.Nm iprop
+service principal on the local host.
+.Pp
+There is a keep-alive feature logged in the master's
+.Pa slave-stats
+file (e.g.\&
+.Pa /var/heimdal/slave-stats ) .
+.Pp
+Note that hierarchical replication is supported by running
+an
+.Nm ipropd-master
+on the same KDC as an
+.Nm ipropd-slave .
+.Pp
+Supported options for
+.Nm ipropd-master :
+.Bl -tag -width Ds
+.It Fl c Ar string , Fl Fl config-file= Ns Ar string
+.It Fl r Ar string , Fl Fl realm= Ns Ar string
+.It Fl k Ar kspec , Fl Fl keytab= Ns Ar kspec
+Keytab for authenticating
+.Nm ipropd-slave
+clients.
+.It Fl d Ar file , Fl Fl database= Ns Ar file
+Database (default per KDC)
+.It Fl Fl slave-stats-file= Ns Ar file
+File for slave status information.
+.It Fl Fl time-missing= Ns Ar time
+Time before slave is polled for presence (default 2 min).
+.It Fl Fl time-gone= Ns Ar time
+Time of inactivity after which a slave is considered gone (default 5 min).
+.It Fl Fl detach
+Detach from console.
+.It Fl Fl version
+.It Fl Fl help
+.El
+.Pp
+Supported options for
+.Nm ipropd-slave :
+.Bl -tag -width Ds
+.It Fl c Ar string , Fl Fl config-file= Ns Ar string
+.It Fl r Ar string , Fl Fl realm= Ns Ar string
+.It Fl d Ar file , Fl Fl database= Ns Ar file
+Database (default per KDC)
+.It Fl k Ar kspec , Fl Fl keytab= Ns Ar kspec
+Keytab with client credentials for authenticating to
+.Nm ipropd-master .
+.It Fl Fl status-file= Ns Ar file
+.It Fl Fl hostname= Ns Ar hostname
+Hostname for client principal if different from actual hostname.
+.It Fl Fl port= Ns Ar port
+.It Fl Fl time-lost= Ns Ar time
+time before server is considered lost (default 5 min)
+.It Fl Fl async-hdb
+Use asynchronous writes.
+This is very useful for very busy sites or sites with very large
+HDBs.
+.It Fl Fl detach
+Detach from console.
+.It Fl Fl version
+.It Fl Fl help
+.El
+Time arguments for the relevant options above may be specified in forms
+like 5 min, 300 s, or simply a number of seconds.
+.Sh FILES
+.Pa slaves ,
+.Pa slave-stats
+in the database directory.
+.Pa ipropd-master.pid ,
+.Pa ipropd-slave.pid
+in the database directory, or in the directory named by the
+.Ev HEIM_PIDFILE_DIR
+environment variable.
+.Sh SEE ALSO
+.Xr krb5.conf 5 ,
+.Xr hprop 8 ,
+.Xr hpropd 8 ,
+.Xr iprop-log 8 ,
+.Xr kdc 8 .