Imported Upstream version 1.6~git20131117+dfsg

5 files changed, 81 insertions, 19 deletions

diff --git a/doc/hx509.texi b/doc/hx509.texi
index c927357f7..d050c2118 100644
--- a/doc/hx509.texi
+++ b/doc/hx509.texi
@@ -34,9 +34,18 @@
 @subtitle 2008
 @author Love Hörnquist Åstrand
 
+@iftex
 @def@copynext{@vskip 20pt plus 1fil}
 @def@copyrightstart{}
 @def@copyrightend{}
+@end iftex
+@macro copynext
+@end macro
+@macro copyrightstart
+@end macro
+@macro copyrightend
+@end macro
+
 @page
 @copyrightstart
 Copyright (c) 1994-2008 Kungliga Tekniska Högskolan
@@ -183,6 +192,13 @@ This manual is for version @value{VERSION} of hx509.
 * CMS signing and encryption::
 * Certificate matching::
 * Software PKCS 11 module::
+* Creating a CA certificate::
+* Issuing certificates::
+* Issuing CRLs::
+* Application requirements::
+* CMS background::
+* Matching syntax::
+* How to use the PKCS11 module::
 
 @detailmenu
  --- The Detailed Node Listing ---
diff --git a/doc/migration.texi b/doc/migration.texi
index d13d7041d..2fa7ede59 100644
--- a/doc/migration.texi
+++ b/doc/migration.texi
@@ -5,14 +5,34 @@
 
 @section Migration from MIT Kerberos to Heimdal
 
-hpropd can read MIT Kerberos dump, the format is the same as used in
-mit-kerberos 1.0b7, and to dump that format use the following command:
-@samp{kdb5_util dump -b7}.
+hpropd can read MIT Kerberos dump in "kdb5_util load_dump version 5" or
+version 6 format.  Simply run:
+@samp{kdb5_util dump}.
 
 To load the MIT Kerberos dump file, use the following command:
 
 @samp{/usr/heimdal/libexec/hprop --database=dump-file --master-key=/var/db/krb5kdc/mit_stash --source=mit-dump --decrypt --stdout | /usr/heimdal/libexec/hpropd --stdin}
 
+kadmin can dump in MIT Kerberos format.  Simply run:
+@samp{kadmin -l dump -f MIT}.
+
+The Heimdal KDC and kadmind, as well as kadmin -l and the libkadm5srv
+library can read and write MIT KDBs, and can read MIT stash files.  To
+build with KDB support requires having a standalone libdb from MIT
+Kerberos and associated headers, then you can configure Heildal as
+follows:
+
+@samp{./configure ... CPPFLAGS=-I/path-to-mit-db-headers LDFLAGS="-L/path-to-mit-db-object -Wl,-rpath -Wl,/path-to-mit-db-object" LDLIBS=-ldb}
+
+At this time support for MIT Kerberos KDB dump/load format and direct
+KDB access does not include support for PKINIT, or K/M key history,
+constrained delegation, and other advanced features.
+
+Heimdal supports using multiple HDBs at once, with all write going to
+just one HDB.  This allows for entries to be moved to a native HDB from
+an MIT KDB over time as those entries are changed.  Or you can use hprop
+and hpropd.
+
 @section General issues
 
 When migrating from a Kerberos 4 KDC.
diff --git a/doc/setup.texi b/doc/setup.texi
index 6c34d77d9..48bcc6a8f 100644
--- a/doc/setup.texi
+++ b/doc/setup.texi
@@ -1053,7 +1053,8 @@ Its also possible to configure the ldap backend as a shared module,
 see option --hdb-openldap-module to configure.
 
 @item
-Configure OpenLDAP with @kbd{--enable-local} to enable the local transport.
+Optionally configure OpenLDAP with @kbd{--enable-local} to enable the
+local transport.
 
 @item
 Add the hdb schema to the LDAP server, it's included in the source-tree
@@ -1064,8 +1065,8 @@ include /usr/local/etc/openldap/schema/hdb.schema
 @end example
 
 @item
-Configure the LDAP server ACLs to accept writes from clients over the
-local transport. For example:
+Configure the LDAP server ACLs to accept writes from clients. For
+example:
 
 @example
 access to *
@@ -1085,10 +1086,15 @@ krb5Principal aux object with krb5PrincipalName set so that the
 Another option is to create an admins group and add the dn to that
 group.
 
-Since Heimdal talks to the LDAP server over a UNIX domain socket, and
-uses external sasl authentication, it's not possible to require
-security layer quality (ssf in cyrus-sasl lingo). So that requirement
-has to be turned off in OpenLDAP @command{slapd} configuration file
+If a non-local LDAP connection is used, the authz-regexp is not
+needed as Heimdal will bind to LDAP over the network using
+provided credentials.
+
+Since Heimdal talks to the LDAP server over a UNIX domain socket when
+configured for ldapi:///, and uses external sasl authentication, it's
+not possible to require security layer quality (ssf in cyrus-sasl lingo).
+So that requirement has to be turned off in OpenLDAP @command{slapd}
+configuration file
 @file{slapd.conf}.
 
 @example
@@ -1116,9 +1122,14 @@ enter the path to the kadmin acl file:
 
 @example
 [kdc]
+	# Optional configuration
+	hdb-ldap-structural-object = inetOrgPerson
+	hdb-ldap-url = ldapi:/// (default), ldap://hostname or ldaps://hostname
+	hdb-ldap-secret-file = /path/to/file/containing/ldap/credentials
+	hdb-ldap-start-tls = false
+
         database = @{
                 dbname = ldap:ou=KerberosPrincipals,dc=example,dc=com
-                hdb-ldap-structural-object = inetOrgPerson
                 acl_file = /path/to/kadmind.acl
                 mkey_file = /path/to/mkey
         @}
@@ -1129,7 +1140,18 @@ directory to have the raw keys inside it.  The
 hdb-ldap-structural-object is not necessary if you do not need Samba
 comatibility.
 
+If connecting to a server over a non-local transport, the @samp{hdb-ldap-url}
+and @samp{hdb-ldap-secret-file} options must be provided. The
+@samp{hdb-ldap-secret-file} must contain the bind credentials:
+
+@example
+[kdc]
+	hdb-ldap-bind-dn = uid=heimdal,dc=services,dc=example,dc=com
+	hdb-ldap-bind-password = secretBindPassword
+@end example
 
+The @samp{hdb-ldap-secret-file} and should be protected with appropriate
+file permissions
 
 @item
 Once you have built Heimdal and started the LDAP server, run kadmin
@@ -1490,8 +1512,8 @@ can't find enough certificates in the request from the client.
 
 @item pkinit_allow_proxy_certificate = bool
 
-Allow clients to use proxy certificates, its the root certificate that
-is clients EE certificate that is used for authorisation.
+Allow clients to use proxy certificates. The root certificate
+of the client's End Entity certificate is used for authorisation.
 
 @item pkinit_win2k_require_binding = bool
 
@@ -1520,7 +1542,7 @@ mapping between a certificate and principal.
 
 @subsection Using pki-mapping file
 
-Note that the file name is space sensitive.
+Note that the file contents are space sensitive.
 
 @example
 # cat /var/heimdal/pki-mapping
diff --git a/doc/whatis.texi b/doc/whatis.texi
index 8c1f45ddb..7d83725d9 100644
--- a/doc/whatis.texi
+++ b/doc/whatis.texi
@@ -35,16 +35,19 @@ services can authenticate each other.
 @end macro
 @end ifinfo
 
-@tex
-@def@xsub#1{$_{#1}$}
-@global@let@sub=@xsub
-@end tex
+@iftex
+@macro sub{arg}
+@textsubscript{\arg\}
+@end macro
+@end iftex
 
 @ifhtml
 @macro sub{arg}
+
 @html
 <sub>\arg\</sub>
 @end html
+
 @end macro
 @end ifhtml
 
diff --git a/doc/win2k.texi b/doc/win2k.texi
index 0452b4d80..0fefeee3f 100644
--- a/doc/win2k.texi
+++ b/doc/win2k.texi
@@ -311,4 +311,5 @@ Other useful programs include these:
 
 @itemize @bullet
 @item pwdump2
-@uref{http://www.bindview.com/Support/RAZOR/Utilities/Windows/pwdump2_readme.cfm}@end itemize
+@uref{http://www.bindview.com/Support/RAZOR/Utilities/Windows/pwdump2_readme.cfm}
+@end itemize