kadmind has always only supported binding to the wildcard addresses.
Add three configuration options to allow specifying the address/port
that kadmind listens on for kpasswd, kadmin, and iprop connections.
[ghudson@mit.edu: edited documentation; minimized changes to
setup_loop(); added iprop_listen]
ticket: 1093
new updates from the master. The default value is ``2m`` (that
is, two minutes).
+**iprop_listen**
+ (Whitespace- or comma-separated list.) Specifies the iprop RPC
+ listening addresses and/or ports for the :ref:`kadmind(8)` daemon.
+ Each entry may be an interface address, a port number, or an
+ address and port number separated by a colon. If the address
+ contains colons, enclose it in square brackets. If no address is
+ specified, the wildcard address is used. If kadmind fails to bind
+ to any of the specified addresses, it will fail to start. The
+ default (when **iprop_enable** is true) is to bind to the wildcard
+ address at the port specified in **iprop_port**. New in release
+ 1.15.
+
**iprop_port**
(Port number.) Specifies the port number to be used for
- incremental propagation. This is required in both master and
- slave configuration files.
+ incremental propagation. When **iprop_enable** is true, this
+ relation is required in the slave configuration file, and this
+ relation or **iprop_listen** is required in the master
+ configuration file, as there is no default port number. Port
+ numbers specified in **iprop_listen** entries will override this
+ port number for the :ref:`kadmind(8)` daemon.
**iprop_resync_timeout**
(Delta time string.) Specifies the amount of time to wait for a
**database_name** is used. Determination of the **iprop_logfile**
default value will not use values from the [dbmodules] section.)
+**kadmind_listen**
+ (Whitespace- or comma-separated list.) Specifies the kadmin RPC
+ listening addresses and/or ports for the :ref:`kadmind(8)` daemon.
+ Each entry may be an interface address, a port number, or an
+ address and port number separated by a colon. If the address
+ contains colons, enclose it in square brackets. If no address is
+ specified, the wildcard address is used. If kadmind fails to bind
+ to any of the specified addresses, it will fail to start. The
+ default is to bind to the wildcard address at the port specified
+ in **kadmind_port**, or the standard kadmin port (749). New in
+ release 1.15.
+
**kadmind_port**
(Port number.) Specifies the port on which the :ref:`kadmind(8)`
- daemon is to listen for this realm. The assigned port for kadmind
- is 749, which is used by default.
+ daemon is to listen for this realm. Port numbers specified in
+ **kadmind_listen** entries will override this port number. The
+ assigned port for kadmind is 749, which is used by default.
**key_stash_file**
(String.) Specifies the location where the master key has been
port 88 (the standard port). Prior to release 1.13, the default
was not to listen for TCP connections at all.
+**kpasswd_listen**
+ (Comma-separated list.) Specifies the kpasswd listening addresses
+ and/or ports for the :ref:`kadmind(8)` daemon. Each entry may be
+ an interface address, a port number, or an address and port number
+ separated by a colon. If the address contains colons, enclose it
+ in square brackets. If no address is specified, the wildcard
+ address is used. If kadmind fails to bind to any of the specified
+ addresses, it will fail to start. The default is to bind to the
+ wildcard address at the port specified in **kpasswd_port**, or the
+ standard kpasswd port (464). New in release 1.15.
+
+**kpasswd_port**
+ (Port number.) Specifies the port on which the :ref:`kadmind(8)`
+ daemon is to listen for password change requests for this realm.
+ Port numbers specified in **kpasswd_listen** entries will override
+ this port number. The assigned port for password change requests
+ is 464, which is used by default.
+
**master_key_name**
(String.) Specifies the name of the principal associated with the
master key. The default is ``K/M``.
#define KRB5_CONF_HTTP_ANCHORS "http_anchors"
#define KRB5_CONF_IGNORE_ACCEPTOR_HOSTNAME "ignore_acceptor_hostname"
#define KRB5_CONF_IPROP_ENABLE "iprop_enable"
+#define KRB5_CONF_IPROP_LISTEN "iprop_listen"
#define KRB5_CONF_IPROP_LOGFILE "iprop_logfile"
#define KRB5_CONF_IPROP_MASTER_ULOGSIZE "iprop_master_ulogsize"
#define KRB5_CONF_IPROP_PORT "iprop_port"
#define KRB5_CONF_IPROP_SLAVE_POLL "iprop_slave_poll"
#define KRB5_CONF_K5LOGIN_AUTHORITATIVE "k5login_authoritative"
#define KRB5_CONF_K5LOGIN_DIRECTORY "k5login_directory"
+#define KRB5_CONF_KADMIND_LISTEN "kadmind_listen"
#define KRB5_CONF_KADMIND_PORT "kadmind_port"
#define KRB5_CONF_KCM_MACH_SERVICE "kcm_mach_service"
#define KRB5_CONF_KCM_SOCKET "kcm_socket"
#define KRB5_CONF_KDC_TCP_PORTS "kdc_tcp_ports"
#define KRB5_CONF_KDC_TIMESYNC "kdc_timesync"
#define KRB5_CONF_KEY_STASH_FILE "key_stash_file"
+#define KRB5_CONF_KPASSWD_LISTEN "kpasswd_listen"
#define KRB5_CONF_KPASSWD_PORT "kpasswd_port"
#define KRB5_CONF_KPASSWD_SERVER "kpasswd_server"
#define KRB5_CONF_KRB524_SERVER "krb524_server"
if (ret)
return ret;
if (!proponly) {
- ret = loop_add_udp_address(handle->params.kpasswd_port, NULL);
+ ret = loop_add_udp_address(handle->params.kpasswd_port,
+ handle->params.kpasswd_listen);
if (ret)
return ret;
- ret = loop_add_tcp_address(handle->params.kpasswd_port, NULL);
+ ret = loop_add_tcp_address(handle->params.kpasswd_port,
+ handle->params.kpasswd_listen);
if (ret)
return ret;
- ret = loop_add_rpc_service(handle->params.kadmind_port, NULL, KADM,
- KADMVERS, kadm_1);
+ ret = loop_add_rpc_service(handle->params.kadmind_port,
+ handle->params.kadmind_listen,
+ KADM, KADMVERS, kadm_1);
if (ret)
return ret;
}
#ifndef DISABLE_IPROP
if (handle->params.iprop_enabled) {
- ret = loop_add_rpc_service(handle->params.iprop_port, NULL,
+ ret = loop_add_rpc_service(handle->params.iprop_port,
+ handle->params.iprop_listen,
KRB5_IPROP_PROG, KRB5_IPROP_VERS,
krb5_iprop_prog_1);
if (ret)
#define KADM5_CONFIG_ENCTYPE 0x00000200
#define KADM5_CONFIG_ADBNAME 0x00000400
#define KADM5_CONFIG_ADB_LOCKFILE 0x00000800
-/*#define KADM5_CONFIG_PROFILE 0x00001000*/
+#define KADM5_CONFIG_KADMIND_LISTEN 0x00001000
#define KADM5_CONFIG_ACL_FILE 0x00002000
#define KADM5_CONFIG_KADMIND_PORT 0x00004000
#define KADM5_CONFIG_ENCTYPES 0x00008000
#define KADM5_CONFIG_OLD_AUTH_GSSAPI 0x00100000
#define KADM5_CONFIG_NO_AUTH 0x00200000
#define KADM5_CONFIG_AUTH_NOFALLBACK 0x00400000
-#ifdef notyet /* Novell */
-#define KADM5_CONFIG_KPASSWD_SERVER 0x00800000
-#endif
+#define KADM5_CONFIG_KPASSWD_LISTEN 0x00800000
#define KADM5_CONFIG_IPROP_ENABLED 0x01000000
#define KADM5_CONFIG_ULOG_SIZE 0x02000000
#define KADM5_CONFIG_POLL_TIME 0x04000000
#define KADM5_CONFIG_IPROP_PORT 0x10000000
#define KADM5_CONFIG_KVNO 0x20000000
#define KADM5_CONFIG_IPROP_RESYNC_TIMEOUT 0x40000000
+#define KADM5_CONFIG_IPROP_LISTEN 0x80000000
/*
* permission bits
*/
/* char * iprop_server;*/
int iprop_port;
int iprop_resync_timeout;
+ char * kadmind_listen;
+ char * kpasswd_listen;
+ char * iprop_listen;
} kadm5_config_params;
typedef struct _kadm5_key_data {
GET_STRING_PARAM(dict_file, KADM5_CONFIG_DICT_FILE, KRB5_CONF_DICT_FILE,
NULL);
+ /* Get the kadmind listen addresses. */
+ GET_STRING_PARAM(kadmind_listen, KADM5_CONFIG_KADMIND_LISTEN,
+ KRB5_CONF_KADMIND_LISTEN, NULL);
+ GET_STRING_PARAM(kpasswd_listen, KADM5_CONFIG_KPASSWD_LISTEN,
+ KRB5_CONF_KPASSWD_LISTEN, NULL);
+ GET_STRING_PARAM(iprop_listen, KADM5_CONFIG_IPROP_LISTEN,
+ KRB5_CONF_IPROP_LISTEN, NULL);
+
#define GET_PORT_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \
get_port_param(¶ms.FIELD, params_in->FIELD, \
¶ms.mask, params_in->mask, BIT, \
new updates from the master. The default value is \fB2m\fP (that
is, two minutes).
.TP
+.B \fBiprop_listen\fP
+(Whitespace\- or comma\-separated list.) Specifies the iprop RPC
+listening addresses and/or ports for the \fIkadmind(8)\fP daemon.
+Each entry may be an interface address, a port number, or an
+address and port number separated by a colon. If the address
+contains colons, enclose it in square brackets. If no address is
+specified, the wildcard address is used. If kadmind fails to bind
+to any of the specified addresses, it will fail to start. The
+default (when \fBiprop_enable\fP is true) is to bind to the wildcard
+address at the port specified in \fBiprop_port\fP\&. New in release
+1.15.
+.TP
.B \fBiprop_port\fP
(Port number.) Specifies the port number to be used for
-incremental propagation. This is required in both master and
-slave configuration files.
+incremental propagation. When \fBiprop_enable\fP is true, this
+relation is required in the slave configuration file, and this
+relation or \fBiprop_listen\fP is required in the master
+configuration file, as there is no default port number. Port
+numbers specified in \fBiprop_listen\fP entries will override this
+port number for the \fIkadmind(8)\fP daemon.
.TP
.B \fBiprop_resync_timeout\fP
(Delta time string.) Specifies the amount of time to wait for a
\fBdatabase_name\fP is used. Determination of the \fBiprop_logfile\fP
default value will not use values from the [dbmodules] section.)
.TP
+.B \fBkadmind_listen\fP
+(Whitespace\- or comma\-separated list.) Specifies the kadmin RPC
+listening addresses and/or ports for the \fIkadmind(8)\fP daemon.
+Each entry may be an interface address, a port number, or an
+address and port number separated by a colon. If the address
+contains colons, enclose it in square brackets. If no address is
+specified, the wildcard address is used. If kadmind fails to bind
+to any of the specified addresses, it will fail to start. The
+default is to bind to the wildcard address at the port specified
+in \fBkadmind_port\fP, or the standard kadmin port (749). New in
+release 1.15.
+.TP
.B \fBkadmind_port\fP
(Port number.) Specifies the port on which the \fIkadmind(8)\fP
-daemon is to listen for this realm. The assigned port for kadmind
-is 749, which is used by default.
+daemon is to listen for this realm. Port numbers specified in
+\fBkadmind_listen\fP entries will override this port number. The
+assigned port for kadmind is 749, which is used by default.
.TP
.B \fBkey_stash_file\fP
(String.) Specifies the location where the master key has been
port 88 (the standard port). Prior to release 1.13, the default
was not to listen for TCP connections at all.
.TP
+.B \fBkpasswd_listen\fP
+(Comma\-separated list.) Specifies the kpasswd listening addresses
+and/or ports for the \fIkadmind(8)\fP daemon. Each entry may be
+an interface address, a port number, or an address and port number
+separated by a colon. If the address contains colons, enclose it
+in square brackets. If no address is specified, the wildcard
+address is used. If kadmind fails to bind to any of the specified
+addresses, it will fail to start. The default is to bind to the
+wildcard address at the port specified in \fBkpasswd_port\fP, or the
+standard kpasswd port (464). New in release 1.15.
+.TP
+.B \fBkpasswd_port\fP
+(Port number.) Specifies the port on which the \fIkadmind(8)\fP
+daemon is to listen for password change requests for this realm.
+Port numbers specified in \fBkpasswd_listen\fP entries will override
+this port number. The assigned port for password change requests
+is 464, which is used by default.
+.TP
.B \fBmaster_key_name\fP
(String.) Specifies the name of the principal associated with the
master key. The default is \fBK/M\fP\&.
.SS [logging]
.sp
The [logging] section indicates how \fIkrb5kdc(8)\fP and
-\fIkadmind(8)\fP perform logging. The keys in this section are
-daemon names, which may be one of:
+\fIkadmind(8)\fP perform logging. It may contain the following
+relations:
.INDENT 0.0
.TP
.B \fBadmin_server\fP
.B \fBdefault\fP
Specifies how either daemon performs logging in the absence of
relations specific to the daemon.
+.TP
+.B \fBdebug\fP
+(Boolean value.) Specifies whether debugging messages are
+included in log outputs other than SYSLOG. Debugging messages are
+always included in the system log output because syslog performs
+its own priority filtering. The default value is false. New in
+release 1.15.
.UNINDENT
.sp
-Values are of the following forms:
+Logging specifications may have the following forms:
.INDENT 0.0
.TP
.B \fBFILE=\fP\fIfilename\fP or \fBFILE:\fP\fIfilename\fP
projects / thirdparty / krb5.git / commitdiff
