From: Peter Marschall Date: Sun, 26 Jul 2015 15:04:26 +0200 Subject: [PATCH] contrib/smbk5pwd: add man page, install it too Add a manual page slapo-smbk5pwd.5 and update smbk5pwd's Makefile to install the new manual page. This patch is derived from the corresponding patch upstreamed in ITS#8205 --- contrib/slapd-modules/smbk5pwd/Makefile | 14 +- contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 | 179 ++++++++++++++++++++++++ 2 files changed, 192 insertions(+), 1 deletion(-) create mode 100644 contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 diff --git a/contrib/slapd-modules/smbk5pwd/Makefile b/contrib/slapd-modules/smbk5pwd/Makefile index 676d914..0042a49 100644 --- a/contrib/slapd-modules/smbk5pwd/Makefile +++ b/contrib/slapd-modules/smbk5pwd/Makefile @@ -25,6 +25,7 @@ HEIMDAL_LIB = $(shell krb5-config.heimdal --libs krb5 kadm-server) LIBTOOL = $(LDAP_BUILD)/libtool +INSTALL = /usr/bin/install CC = gcc OPT = -g -O2 -Wall # Omit DO_KRB5, DO_SAMBA or DO_SHADOW if you don't want to support it. @@ -34,6 +35,7 @@ LIBS = $(HEIMDAL_LIB) $(LDAP_LIB) $(SSL_LIB) PROGRAMS = smbk5pwd.la +MANPAGES = slapo-smbk5pwd.5 LTVER = 0:0:0 prefix=/usr/local @@ -43,6 +45,8 @@ libdir=$(exec_prefix)/lib libexecdir=$(exec_prefix)/libexec moduledir = $(libexecdir)$(ldap_subdir) +mandir = $(exec_prefix)/share/man +man5dir = $(mandir)/man5 .SUFFIXES: .c .o .lo @@ -58,9 +62,17 @@ clean: rm -rf *.o *.lo *.la .libs -install: $(PROGRAMS) +install: install-lib install-man FORCE + +install-lib: $(PROGRAMS) mkdir -p $(DESTDIR)$(moduledir) for p in $(PROGRAMS) ; do \ $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ done +install-man: $(MANPAGES) + mkdir -p $(DESTDIR)$(man5dir) + $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir) + +FORCE: + diff --git a/contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 b/contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 new file mode 100644 index 0000000..431a765 --- /dev/null +++ b/contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 @@ -0,0 +1,179 @@ +.TH SLAPO-SMBK5PWD 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 2015 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slapo-smbk5pwd \- Samba & Kerberos password sync overlay to slapd +.SH SYNOPSIS +ETCDIR/slapd.conf +.RS +.LP +include +.B "/krb5-kdc.schema" +.LP +include +.B "/samba.schema" +.LP +moduleload +.B smbk5pwd.so +.LP + ... +.LP +database mdb +.LP + ... +.LP +overlay +.B smbk5pwd +.RE + +.SH DESCRIPTION +.LP +The +.B smbk5pwd +overlay to +.BR slapd (8) +overloads the Password Modify Extended Operation (RFC 3062) to update +Kerberos keys and Samba password hashes for an LDAP user, as well as +updating password change related attributes for Kerberos, Samba and/or +UNIX user accounts. +.LP +The Samba support is written using the Samba 3.0 LDAP schema; +Kerberos support is written for Heimdal using its hdb-ldap backend. +.LP +Additionally, a new +.B {K5KEY} +password hash mechanism is provided. +For +.B krb5KDCEntry +objects that have this scheme specifier in their +.I userPassword +attribute, Simple Binds will be checked against the Kerberos keys of the entry. +No data is needed after the +.B {K5KEY} +scheme specifier in the +.IR userPassword , +it is looked up from the entry directly. + +.SH CONFIGURATION +The +.B smbk5pwd +overlay supports the following +.B slapd.conf +configuration options, which should appear after the +.B overlay +directive: +.TP +.BI smbk5pwd-enable " " +can be used to enable only the desired modules. +Legal values for +.I +are +.LP +.RS +.TP +.B krb5 +If the user has the +.B krb5KDCEntry +objectclass, update the +.B krb5Key +and +.B krb5KeyVersionNumber +attributes using the new password in the Password Modify operation, +provided the Kerberos account is not expired. +Exiration is determined by evaluating the +.B krb5ValidEnd +attribute. +.TP +.B samba +If the user is a +.B sambaSamAccount +object, synchronize the +.B sambaLMPassword +and +.B sambaNTPassword +to the password entered in the Password Modify operation, and update +.B sambaPwdLastSet +accordingly. +.TP +.B shadow +Update the attribute +.BR shadowLastChange , +if the entry has the objectclass +.BR shadowAccount . +.LP +By default all modules compiled in are enabled. +Setting the config statement restricts the enabled modules to the ones +explicitly mentioned. +.RE +.TP +.BI smbk5pwd-can-change " " +If the +.B samba +module is enabled and the user is a +.BR sambaSamAccount , +update the attribute +.B sambaPwdCanChange +to point +.I +into the future, essentially denying any Samba password change until then. +A value of +.B 0 +disables this feature. +.TP +.BI smbk5pwd-must-change " " +If the +.B samba +module is enabled and the user is a +.BR sambaSamAccount , +update the attribute +.B sambaPwdMustChange +to point +.I +into the future, essentially setting the Samba password expiration time. +A value of +.B 0 +disables this feature. +.LP +Alternatively, the overlay supports table-driven configuration, +and thus can be run-time loaded and configured via back-config. + +.SH EXAMPLE +The layout of a slapd.d based, table-driven configuration entry looks like: +.LP +.EX + # {0}smbk5pwd, {1}bdb, config + dn: olcOverlay={0}smbk5pwd,olcDatabase={1}mdb,cn=config + objectClass: olcOverlayConfig + objectClass: olcSmbK5PwdConfig + olcOverlay: {0}smbk5pwd + olcSmbK5PwdEnable: krb5 + olcSmbK5PwdEnable: samba + olcSmbK5PwdMustChange: 2592000 +.EE +.LP +which enables both +.B krb5 +and +.B samba +modules with a Samba password expiration time of 30 days (= +.B 2592000 +seconds). + +.SH SEE ALSO +.BR slapd.conf (5), +.BR ldappasswd (1), +.BR ldap (3), +.LP +"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) +.LP + +.SH ACKNOWLEDGEMENTS +This manual page has been writen by Peter Marschall based on the +module's README file written by Howard Chu. +.LP +.B OpenLDAP +is developed and maintained by The OpenLDAP Project (http://www.openldap.org/). +.B OpenLDAP +is derived from University of Michigan LDAP 3.3 Release. + -- 2.5.0