diff options
author | Jelmer Vernooij <jelmer@samba.org> | 2013-12-07 13:31:25 +0000 |
---|---|---|
committer | Jelmer Vernooij <jelmer@samba.org> | 2013-12-07 13:31:25 +0000 |
commit | d6ae20ad6d7397cb776301c01026e62da2c3f236 (patch) | |
tree | af4ac8cc8947c84f465bd4f88a4838ed17d0fc85 /doc | |
parent | 3ad404c058054f0300196ea53478ca14e28cd232 (diff) |
Imported Upstream version 1.6~git20131117+dfsg
Diffstat (limited to 'doc')
-rw-r--r-- | doc/hx509.texi | 16 | ||||
-rw-r--r-- | doc/migration.texi | 26 | ||||
-rw-r--r-- | doc/setup.texi | 44 | ||||
-rw-r--r-- | doc/whatis.texi | 11 | ||||
-rw-r--r-- | doc/win2k.texi | 3 |
5 files changed, 81 insertions, 19 deletions
diff --git a/doc/hx509.texi b/doc/hx509.texi index c927357f7..d050c2118 100644 --- a/doc/hx509.texi +++ b/doc/hx509.texi @@ -34,9 +34,18 @@ @subtitle 2008 @author Love Hörnquist Åstrand +@iftex @def@copynext{@vskip 20pt plus 1fil} @def@copyrightstart{} @def@copyrightend{} +@end iftex +@macro copynext +@end macro +@macro copyrightstart +@end macro +@macro copyrightend +@end macro + @page @copyrightstart Copyright (c) 1994-2008 Kungliga Tekniska Högskolan @@ -183,6 +192,13 @@ This manual is for version @value{VERSION} of hx509. * CMS signing and encryption:: * Certificate matching:: * Software PKCS 11 module:: +* Creating a CA certificate:: +* Issuing certificates:: +* Issuing CRLs:: +* Application requirements:: +* CMS background:: +* Matching syntax:: +* How to use the PKCS11 module:: @detailmenu --- The Detailed Node Listing --- diff --git a/doc/migration.texi b/doc/migration.texi index d13d7041d..2fa7ede59 100644 --- a/doc/migration.texi +++ b/doc/migration.texi @@ -5,14 +5,34 @@ @section Migration from MIT Kerberos to Heimdal -hpropd can read MIT Kerberos dump, the format is the same as used in -mit-kerberos 1.0b7, and to dump that format use the following command: -@samp{kdb5_util dump -b7}. +hpropd can read MIT Kerberos dump in "kdb5_util load_dump version 5" or +version 6 format. Simply run: +@samp{kdb5_util dump}. To load the MIT Kerberos dump file, use the following command: @samp{/usr/heimdal/libexec/hprop --database=dump-file --master-key=/var/db/krb5kdc/mit_stash --source=mit-dump --decrypt --stdout | /usr/heimdal/libexec/hpropd --stdin} +kadmin can dump in MIT Kerberos format. Simply run: +@samp{kadmin -l dump -f MIT}. + +The Heimdal KDC and kadmind, as well as kadmin -l and the libkadm5srv +library can read and write MIT KDBs, and can read MIT stash files. To +build with KDB support requires having a standalone libdb from MIT +Kerberos and associated headers, then you can configure Heildal as +follows: + +@samp{./configure ... CPPFLAGS=-I/path-to-mit-db-headers LDFLAGS="-L/path-to-mit-db-object -Wl,-rpath -Wl,/path-to-mit-db-object" LDLIBS=-ldb} + +At this time support for MIT Kerberos KDB dump/load format and direct +KDB access does not include support for PKINIT, or K/M key history, +constrained delegation, and other advanced features. + +Heimdal supports using multiple HDBs at once, with all write going to +just one HDB. This allows for entries to be moved to a native HDB from +an MIT KDB over time as those entries are changed. Or you can use hprop +and hpropd. + @section General issues When migrating from a Kerberos 4 KDC. diff --git a/doc/setup.texi b/doc/setup.texi index 6c34d77d9..48bcc6a8f 100644 --- a/doc/setup.texi +++ b/doc/setup.texi @@ -1053,7 +1053,8 @@ Its also possible to configure the ldap backend as a shared module, see option --hdb-openldap-module to configure. @item -Configure OpenLDAP with @kbd{--enable-local} to enable the local transport. +Optionally configure OpenLDAP with @kbd{--enable-local} to enable the +local transport. @item Add the hdb schema to the LDAP server, it's included in the source-tree @@ -1064,8 +1065,8 @@ include /usr/local/etc/openldap/schema/hdb.schema @end example @item -Configure the LDAP server ACLs to accept writes from clients over the -local transport. For example: +Configure the LDAP server ACLs to accept writes from clients. For +example: @example access to * @@ -1085,10 +1086,15 @@ krb5Principal aux object with krb5PrincipalName set so that the Another option is to create an admins group and add the dn to that group. -Since Heimdal talks to the LDAP server over a UNIX domain socket, and -uses external sasl authentication, it's not possible to require -security layer quality (ssf in cyrus-sasl lingo). So that requirement -has to be turned off in OpenLDAP @command{slapd} configuration file +If a non-local LDAP connection is used, the authz-regexp is not +needed as Heimdal will bind to LDAP over the network using +provided credentials. + +Since Heimdal talks to the LDAP server over a UNIX domain socket when +configured for ldapi:///, and uses external sasl authentication, it's +not possible to require security layer quality (ssf in cyrus-sasl lingo). +So that requirement has to be turned off in OpenLDAP @command{slapd} +configuration file @file{slapd.conf}. @example @@ -1116,9 +1122,14 @@ enter the path to the kadmin acl file: @example [kdc] + # Optional configuration + hdb-ldap-structural-object = inetOrgPerson + hdb-ldap-url = ldapi:/// (default), ldap://hostname or ldaps://hostname + hdb-ldap-secret-file = /path/to/file/containing/ldap/credentials + hdb-ldap-start-tls = false + database = @{ dbname = ldap:ou=KerberosPrincipals,dc=example,dc=com - hdb-ldap-structural-object = inetOrgPerson acl_file = /path/to/kadmind.acl mkey_file = /path/to/mkey @} @@ -1129,7 +1140,18 @@ directory to have the raw keys inside it. The hdb-ldap-structural-object is not necessary if you do not need Samba comatibility. +If connecting to a server over a non-local transport, the @samp{hdb-ldap-url} +and @samp{hdb-ldap-secret-file} options must be provided. The +@samp{hdb-ldap-secret-file} must contain the bind credentials: + +@example +[kdc] + hdb-ldap-bind-dn = uid=heimdal,dc=services,dc=example,dc=com + hdb-ldap-bind-password = secretBindPassword +@end example +The @samp{hdb-ldap-secret-file} and should be protected with appropriate +file permissions @item Once you have built Heimdal and started the LDAP server, run kadmin @@ -1490,8 +1512,8 @@ can't find enough certificates in the request from the client. @item pkinit_allow_proxy_certificate = bool -Allow clients to use proxy certificates, its the root certificate that -is clients EE certificate that is used for authorisation. +Allow clients to use proxy certificates. The root certificate +of the client's End Entity certificate is used for authorisation. @item pkinit_win2k_require_binding = bool @@ -1520,7 +1542,7 @@ mapping between a certificate and principal. @subsection Using pki-mapping file -Note that the file name is space sensitive. +Note that the file contents are space sensitive. @example # cat /var/heimdal/pki-mapping diff --git a/doc/whatis.texi b/doc/whatis.texi index 8c1f45ddb..7d83725d9 100644 --- a/doc/whatis.texi +++ b/doc/whatis.texi @@ -35,16 +35,19 @@ services can authenticate each other. @end macro @end ifinfo -@tex -@def@xsub#1{$_{#1}$} -@global@let@sub=@xsub -@end tex +@iftex +@macro sub{arg} +@textsubscript{\arg\} +@end macro +@end iftex @ifhtml @macro sub{arg} + @html <sub>\arg\</sub> @end html + @end macro @end ifhtml diff --git a/doc/win2k.texi b/doc/win2k.texi index 0452b4d80..0fefeee3f 100644 --- a/doc/win2k.texi +++ b/doc/win2k.texi @@ -311,4 +311,5 @@ Other useful programs include these: @itemize @bullet @item pwdump2 -@uref{http://www.bindview.com/Support/RAZOR/Utilities/Windows/pwdump2_readme.cfm}@end itemize +@uref{http://www.bindview.com/Support/RAZOR/Utilities/Windows/pwdump2_readme.cfm} +@end itemize |