/usr/lib/perl5/Authen/Krb5/Admin.pm is in libauthen-krb5-admin-perl 0.17-1build1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 | # Copyright (c) 2002 Andrew J. Korty
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
# $Id: Admin.pm,v 1.24 2008/02/25 13:46:54 ajk Exp $
package Authen::Krb5::Admin;
use strict;
use vars qw($AUTOLOAD $VERSION @ISA @EXPORT_OK %EXPORT_TAGS);
use Carp;
require 5.004;
require Exporter;
require DynaLoader;
require AutoLoader;
@ISA = qw(Exporter DynaLoader);
@EXPORT_OK = qw(
ENCTYPE_DES3_CBC_RAW
ENCTYPE_DES3_CBC_SHA
ENCTYPE_DES3_CBC_SHA1
ENCTYPE_DES_CBC_CRC
ENCTYPE_DES_CBC_MD4
ENCTYPE_DES_CBC_MD5
ENCTYPE_DES_CBC_RAW
ENCTYPE_DES_HMAC_SHA1
ENCTYPE_LOCAL_DES3_HMAC_SHA1
ENCTYPE_NULL
ENCTYPE_UNKNOWN
KADM5_ADMIN_SERVICE
KADM5_API_VERSION_1
KADM5_API_VERSION_2
KADM5_API_VERSION_3
KADM5_API_VERSION_4
KADM5_API_VERSION_MASK
KADM5_ATTRIBUTES
KADM5_AUTH_ADD
KADM5_AUTH_CHANGEPW
KADM5_AUTH_DELETE
KADM5_AUTH_GET
KADM5_AUTH_INSUFFICIENT
KADM5_AUTH_LIST
KADM5_AUTH_MODIFY
KADM5_AUTH_SETKEY
KADM5_AUX_ATTRIBUTES
KADM5_BAD_API_VERSION
KADM5_BAD_AUX_ATTR
KADM5_BAD_CLASS
KADM5_BAD_CLIENT_PARAMS
KADM5_BAD_DB
KADM5_BAD_HISTORY
KADM5_BAD_HIST_KEY
KADM5_BAD_LENGTH
KADM5_BAD_MASK
KADM5_BAD_MIN_PASS_LIFE
KADM5_BAD_PASSWORD
KADM5_BAD_POLICY
KADM5_BAD_PRINCIPAL
KADM5_BAD_SERVER_HANDLE
KADM5_BAD_SERVER_NAME
KADM5_BAD_SERVER_PARAMS
KADM5_BAD_STRUCT_VERSION
KADM5_BAD_TL_TYPE
KADM5_CHANGEPW_SERVICE
KADM5_CONFIG_ACL_FILE
KADM5_CONFIG_ADBNAME
KADM5_CONFIG_ADB_LOCKFILE
KADM5_CONFIG_ADMIN_KEYTAB
KADM5_CONFIG_ADMIN_SERVER
KADM5_CONFIG_DBNAME
KADM5_CONFIG_DICT_FILE
KADM5_CONFIG_ENCTYPE
KADM5_CONFIG_ENCTYPES
KADM5_CONFIG_EXPIRATION
KADM5_CONFIG_FLAGS
KADM5_CONFIG_KADMIND_PORT
KADM5_CONFIG_KPASSWD_PORT
KADM5_CONFIG_MAX_LIFE
KADM5_CONFIG_MAX_RLIFE
KADM5_CONFIG_MKEY_FROM_KBD
KADM5_CONFIG_MKEY_NAME
KADM5_CONFIG_PROFILE
KADM5_CONFIG_REALM
KADM5_CONFIG_STASH_FILE
KADM5_DUP
KADM5_FAILURE
KADM5_FAIL_AUTH_COUNT
KADM5_GSS_ERROR
KADM5_HIST_PRINCIPAL
KADM5_INIT
KADM5_KEY_DATA
KADM5_KVNO
KADM5_LAST_FAILED
KADM5_LAST_PWD_CHANGE
KADM5_LAST_SUCCESS
KADM5_MASK_BITS
KADM5_MAX_LIFE
KADM5_MAX_RLIFE
KADM5_MISSING_CONF_PARAMS
KADM5_MKVNO
KADM5_MOD_NAME
KADM5_MOD_TIME
KADM5_NEW_LIB_API_VERSION
KADM5_NEW_SERVER_API_VERSION
KADM5_NEW_STRUCT_VERSION
KADM5_NOT_INIT
KADM5_NO_RENAME_SALT
KADM5_NO_SRV
KADM5_OK
KADM5_OLD_LIB_API_VERSION
KADM5_OLD_SERVER_API_VERSION
KADM5_OLD_STRUCT_VERSION
KADM5_PASS_Q_CLASS
KADM5_PASS_Q_DICT
KADM5_PASS_Q_TOOSHORT
KADM5_PASS_REUSE
KADM5_PASS_TOOSOON
KADM5_POLICY
KADM5_POLICY_CLR
KADM5_POLICY_REF
KADM5_PRINCIPAL
KADM5_PRINCIPAL_NORMAL_MASK
KADM5_PRINC_EXPIRE_TIME
KADM5_PRIV_ADD
KADM5_PRIV_DELETE
KADM5_PRIV_GET
KADM5_PRIV_MODIFY
KADM5_PROTECT_PRINCIPAL
KADM5_PW_EXPIRATION
KADM5_PW_HISTORY_NUM
KADM5_PW_MAX_LIFE
KADM5_PW_MIN_CLASSES
KADM5_PW_MIN_LENGTH
KADM5_PW_MIN_LIFE
KADM5_REF_COUNT
KADM5_RPC_ERROR
KADM5_SECURE_PRINC_MISSING
KADM5_SETKEY3_ETYPE_MISMATCH
KADM5_SETKEY_DUP_ENCTYPES
KADM5_SETV4KEY_INVAL_ENCTYPE
KADM5_STRUCT_VERSION
KADM5_STRUCT_VERSION_1
KADM5_STRUCT_VERSION_MASK
KADM5_TL_DATA
KADM5_UNK_POLICY
KADM5_UNK_PRINC
KRB5_KDB_DISALLOW_ALL_TIX
KRB5_KDB_DISALLOW_DUP_SKEY
KRB5_KDB_DISALLOW_FORWARDABLE
KRB5_KDB_DISALLOW_POSTDATED
KRB5_KDB_DISALLOW_PROXIABLE
KRB5_KDB_DISALLOW_RENEWABLE
KRB5_KDB_DISALLOW_SVR
KRB5_KDB_DISALLOW_TGT_BASED
KRB5_KDB_NEW_PRINC
KRB5_KDB_PWCHANGE_SERVICE
KRB5_KDB_REQUIRES_HW_AUTH
KRB5_KDB_REQUIRES_PRE_AUTH
KRB5_KDB_REQUIRES_PWCHANGE
KRB5_KDB_SALTTYPE_AFS3
KRB5_KDB_SALTTYPE_NOREALM
KRB5_KDB_SALTTYPE_NORMAL
KRB5_KDB_SALTTYPE_ONLYREALM
KRB5_KDB_SALTTYPE_SPECIAL
KRB5_KDB_SALTTYPE_V4
KRB5_KDB_SUPPORT_DESMD5
KADM5_CONFIG_AUTH_NOFALLBACK
KADM5_CONFIG_NO_AUTH
KADM5_CONFIG_OLD_AUTH_GSSAPI
KRB5_KDB_ACCESS_ERROR
);
%EXPORT_TAGS = (constants => \@EXPORT_OK);
$VERSION = '0.17';
# Preloaded methods go here.
sub AUTOLOAD {
# This AUTOLOAD is used to 'autoload' constants from the
# constant() XS function. If a constant is not found then
# control is passed to the AUTOLOAD in AutoLoader.
my $constname;
($constname = $AUTOLOAD) =~ s/.*:://;
croak $constname, ' not defined' if $constname eq 'constant';
my $val = constant($constname, @_ ? $_[0] : 0);
if ($! != 0) {
if ($! =~ /Invalid/) {
$AutoLoader::AUTOLOAD = $AUTOLOAD;
goto &AutoLoader::AUTOLOAD;
} else {
croak 'Your vendor has not defined ', __PACKAGE__,
' macro ', $constname;
}
}
eval "sub $AUTOLOAD { $val }";
goto &$AUTOLOAD;
}
sub KADM5_ADMIN_SERVICE { 'kadmin/admin' }
sub KADM5_CHANGEPW_SERVICE { 'kadmin/changepw' }
sub KADM5_HIST_PRINCIPAL { 'kadmin/history' }
bootstrap Authen::Krb5::Admin $VERSION;
1;
__END__
=head1 NAME
Authen::Krb5::Admin - Perl extension for MIT Kerberos 5 admin interface
=head1 SYNOPSIS
use Authen::Krb5::Admin;
use Authen::Krb5::Admin qw(:constants);
=head1 DESCRIPTION
The B<Authen::Krb5::Admin> Perl module is an object-oriented interface
to the Kerberos 5 admin server. Currently only MIT KDCs are
supported, but the author envisions seamless integration with other
KDCs.
The following classes are provided by this module:
Authen::Krb5::Admin handle for performing kadmin operations
Authen::Krb5::Admin::Config kadmin configuration parameters
Authen::Krb5::Admin::Key key data from principal object
Authen::Krb5::Admin::Policy kadmin policies
Authen::Krb5::Admin::Principal kadmin principals
=head2 Configuration Parameters, Policies, and Principals
Before performing kadmin operations, the programmer must construct
objects to represent the entities to be manipulated. Each of the
classes
Authen::Krb5::Admin::Config
Authen::Krb5::Admin::Key
Authen::Krb5::Admin::Policy
Authen::Krb5::Admin::Principal
has a constructor I<new> which takes no arguments (except for the
class name). The new object may be populated using accessor methods,
each of which is named for the C struct element it represents.
Methods always return the current value of the attribute, except for
the I<policy_clear> method, which returns nothing. If a value is
provided, the attribute is set to that value, and the new value is
returned.
All attributes may be modified in each object, but read-only
attributes will be ignored when performing kadmin operations. These
attributes are indicated in the documentation for their accessor
methods.
Each of the C functions that manipulate I<kadm5> principal and policy
structures takes a mask argument to indicate which fields should be
taken into account. The Perl accessor methods take care of the mask
for you, assuming that when you change a value, you will eventually
want it changed on the server.
Flags for the read-only fields do not get set automatically because
they would result in a bad mask error when performing kadmin
operations.
Some writable attributes are not allowed to have their masks set for
certain operations. For example, KADM5_POLICY may not be set during a
I<create_principal> operation, but since the Perl module sets that
flag automatically when you set the I<policy> attribute of the
principal object, a bad mask error would result. Therefore, some
kadmin operations automatically clear certain flags first.
Though you should never have to, you can manipulate the mask on your
own using the I<mask> methods and the flags associated with each
attribute (indicated in curly braces ({}s) below). Use the tag
I<:constants> to request that the flag constants (and all other
constants) be made available (see L<Exporter(3)>).
=over 8
=item B<Authen::Krb5::Admin::Config>
This class is used to configure a kadmin connection. Without this
object, B<Authen::Krb5::Admin> constructors will default to the
configuration defined in the Kerberos 5 profile (F</etc/krb5.conf> by
default). So this object is usually only needed when selecting
alternate realms or contacting a specific, non-default server.
The only methods in this class are the constructor (I<new>, described
above) and the following accessor methods.
=item admin_server {KADM5_CONFIG_ADMIN_SERVER}
Admin server hostname
=item kadmind_port {KADM5_CONFIG_KADMIND_PORT}
Admin server port number
=item kpasswd_port {KADM5_CONFIG_KPASSWD_PORT}
Kpasswd server port number
=item mask
Mask (described above)
=item profile {KADM5_CONFIG_PROFILE}
Kerberos 5 configuration profile
=item realm {KADM5_CONFIG_REALM}
Kerberos 5 realm name
=item B<Authen::Krb5::Admin::Key>
This class represents key data contained in kadmin principal objects.
The only methods in this class are the constructor (I<new>, described
above) and the following accessor methods.
=item key_contents
Key contents, encrypted with the KDC master key. This data may not be
available remotely.
=item enc_type
Kerberos 5 enctype of the key
=item key_type
Alias for I<enc_type>
=item kvno
Key version number
=item salt_contents
Salt contents, if any (I<ver> > 1)
=item salt_type
Salt type, if any (I<ver> > 1)
=item ver
Version number of the underlying I<krb5_key_data> structure
=item B<Authen::Krb5::Admin::Policy>
This class represents kadmin policies. The only methods in this class
are the constructor (I<new>, described above) and the following
accessor methods.
=item mask
Mask (described above)
=item name {KADM5_POLICY}
Policy name
=item pw_history_num {KADM5_PW_HISTORY_NUM}
Number (between 1 and 10, inclusive) of past passwords to be stored
for the principal. A principal may not set its password to any of its
previous I<pw_history_num> passwords.
=item pw_max_life {KADM5_PW_MAX_LIFE}
Default number of seconds a password lasts before the principal is
required to change it
=item pw_max_fail {KADM5_PW_MAX_FAILURE}
The maximum allowed number of attempts before a lockout.
=item pw_failcnt_interval {KADM5_PW_FAILURE_COUNT_INTERVAL}
The period after which the bad preauthentication count will be reset.
=item pw_lockout_duration {KADM5_PW_LOCKOUT_DURATION}
The period in which lockout is enforced; a duration of zero means that
the principal must be manually unlocked.
=item pw_min_classes {KADM5_PW_MIN_CLASSES}
Number (between 1 and 5, inclusive) of required character classes
represented in a password
=item pw_min_length {KADM5_PW_MIN_LENGTH}
Minimum number of characters in a password
=item pw_min_life {KADM5_PW_MIN_LIFE}
Number of seconds a password must age before the principal may change
it
=item policy_refcnt {KADM5_REF_COUNT}
Number of principals referring to this policy (read-only, does not set
KADM5_REF_COUNT automatically)
=item Authen::Krb5::Admin::Principal
The attributes I<fail_auth_count>, I<last_failed>, and I<last_success>
are only meaningful if the KDC is configured to update the database
with this type of information.
The only methods in this class are the constructor (I<new>, described
above), the following accessor methods, and I<policy_clear>, which is
used to clear the policy attribute.
=item attributes {KADM5_ATTRIBUTES}
Bitfield representing principal attributes (see L<kadmin(8)>)
=item aux_attributes {KADM5_AUX_ATTRIBUTES}
Bitfield used by kadmin. Currently only recognizes the KADM5_POLICY,
which indicates that a policy is in effect for this principal. This
attribute is read-only, so KADM5_AUX_ATTRIBUTES is not set
automatically.
=item fail_auth_count {KADM5_FAIL_AUTH_COUNT}
Number of consecutive failed AS_REQs for this principal. This
attribute is read-only, so KADM5_FAIL_AUTH_COUNT is not set
automatically.
=item kvno {KADM5_KVNO}
Key version number
=item last_failed {KADM5_LAST_FAILED}
Time (in seconds since the Epoch) of the last failed AS_REQ for this
principal. This attribute is read-only, so KADM5_LAST_FAILED is not
set automatically.
=item last_pwd_change {KADM5_LAST_PWD_CHANGE}
Time (in seconds since the Epoch) of the last password change for this
principal. This attribute is read-only, so KADM5_LAST_PWD_CHANGE is
not set automatically.
=item last_success {KADM5_LAST_SUCCESS}
Time (in seconds since the Epoch) of the last successful AS_REQ for
this principal. This attribute is read-only, so KADM5_LAST_SUCCESS is
not set automatically.
=item mask
Mask (see above)
=item max_life {KADM5_MAX_LIFE}
maximum lifetime in seconds of any Kerberos ticket issued to this
principal
=item max_renewable_life {KADM5_MAX_RLIFE}
maximum renewable lifetime in seconds of any Kerberos ticket issued to
this principal
=item mod_date {KADM5_MOD_TIME}
Time (in seconds since the Epoch) this principal was last modified.
This attribute is read-only, so KADM5_MOD_TIME is not set
automatically.
=item mod_name {KADM5_MOD_NAME}
Kerberos principal (B<Authen::Krb5::Principal>, see
L<Authen::Krb5(3)>) that last modified this principal. This attribute
is read-only, so KADM5_MOD_NAME is not set automatically.
=item policy {KADM5_POLICY}
Name of policy that affects this principal if KADM5_POLICY is set in
I<aux_attributes>
=item policy_clear {KADM5_POLICY_CLR}
Not really an attribute--disables the current policy for this
principal. This method doesn't return anything.
=item princ_expire_time {KADM5_PRINC_EXPIRE_TIME}
Expire time (in seconds since the Epoch) of the principal
=item principal {KADM5_PRINCIPAL}
Kerberos principal itself (B<Authen::Krb5::Principal>, see
L<Authen::Krb5(3)>)
=item pw_expiration {KADM5_PW_EXPIRATION}
Expire time (in seconds since the Epoch) of the principal's password
=item db_args [@ARGS]
When called without any C<@ARGS>, returns the list of arguments that
will be passed into the underlying database, as with C<addprinc -x> in
C<kadmin>. If C<@ARGS> is non-empty, it will replace any database
arguments, which will then be returned, like this:
my @old = $principal->db_args;
# -or-
my @old = $principal->db_args(@new);
# The RPC call will ignore the tail data unless
# you set this flag:
$principal->mask($principal->mask | KADM5_TL_DATA);
=back
=head2 Operations
To perform kadmin operations (addprinc, delprinc, etc.), we first
construct an object of the class B<Authen::Krb5::Admin>, which
contains a server handle. Then we use object methods to perform the
operations using that handle.
In the following synopses, parameter types are indicated by their
names as follows:
$error Kerberos 5 error code
$kadm5 Authen::Krb5::Admin
$kadm5_config Authen::Krb5::Admin::Config
$kadm5_pol Authen::Krb5::Admin::Policy
$kadm5_princ Authen::Krb5::Admin::Principal
$krb5_ccache Authen::Krb5::Ccache
$krb5_princ Authen::Krb5::Principal
$success TRUE if if the call succeeeded, undef otherwise
Everything else is an unblessed scalar value (or an array of them)
inferable from context.
Parameters surrounded by square brackets ([]s) are each optional.
=over 8
=item Constructors
Each of the following constructors authenticates as $client to the
admin server $service, which defaults to KADM5_ADMIN_SERVICE if undef.
An undefined value for $kadm5_config will cause the interface to infer
the configuration from the Kerberos 5 profile (F</etc/krb5.conf> by
default).
=item $kadm5 = Authen::Krb5::Admin->init_with_creds($client, $krb5_ccache[, $service, $kadm5_config])
Authenticate using the credentials cached in $krb5_ccache.
=item $kadm5 = Authen::Krb5::Admin->init_with_password($client[, $password, $service, $kadm5_config])
Authenticate with $password.
=item $kadm5 = Authen::Krb5::Admin->init_with_skey($client[, $keytab_file, $service, $kadm5_config])
Authenticate using the keytab stored in $keytab_file. If $keytab_file
is undef, the default keytab is used.
=item Principal Operations
=item $success = $kadm5->chpass_principal($krb5_princ, $password)
Change the password of $krb5_princ to $password.
=item $success = $kadm5->create_principal($kadm5_princ[, $password])
Insert $kadm5_princ into the database, optionally setting its password
to the string in $password. Clears KADM5_POLICY_CLR and
KADM5_FAIL_AUTH_COUNT.
=item $success = $kadm5->delete_principal($krb5_princ)
Delete the principal represented by $krb5_princ from the database.
=item $kadm5_princ = $kadm5->get_principal($krb5_princ[, $mask])
Retrieve the Authen::Krb5::Admin::Principal object for the principal
$krb5_princ from the database. Use KADM5_PRINCIPAL_NORMAL_MASK to
retrieve all of the useful attributes.
=item @names = $kadm5->get_principals([$expr])
Retrieve a list of principal names matching the glob pattern $expr.
In the absence of $expr, retrieve the list of all principal names.
=item $success = $kadm5->modify_principal($kadm5_princ)
Modify $kadm5_princ in the database. The principal to modify is
determined by C<$kadm5_princ-E<gt>principal>, and the rest of the writable
parameters will be modified accordingly. Clears KADM5_PRINCIPAL.
=item @keys = $kadm5->randkey_principal($krb5_princ)
Randomize the principal in the database represented by $krb5_princ and
return B<Authen::Krb5::Keyblock> objects.
=item $success = $kadm5->rename_principal($krb5_princ_from, $krb5_princ_to)
Change the name of the principal from $krb5_princ_from to $krb5_princ_to.
=item Policy Operations
=item $success = $kadm5->create_policy($kadm5_pol)
Insert $kadm5_pol into the database.
=item $success = $kadm5->delete_policy($name)
Delete the policy named $name from the database.
=item $kadm5_pol = $kadm5->get_policy([$name])
Retrieve the B<Authen::Krb5::Admin::Policy> object for the policy
named $name from the database.
=item @names = $kadm5->get_policies([$expr])
Retrieve a list of policy names matching the glob pattern $expr. In
the absence of $expr, retrieve the list of all policy names.
=item $success = $kadm5->modify_policy($kadm5_pol)
Modify $kadm5_pol in the database. The policy to modify is
determined by C<$kadm5_pol->name>,(and the rest of the writable)
parameters will be modified accordingly. Clears KADM5_POLICY.
=item Other Methods
=item $magic_value = Authen::Krb5::Admin::error [$error]
Return value that acts like $! (see L<perlvar(1)>) for the most
recent Authen::Krb5::Admin call. With error code $error, return
the error message corresponding to that error code.
=item $error_code = Authen::Krb5::Admin::error_code
Returns the value of the error code for the most recent
Authen::Krb5::Admin call as a simple integer.
=item $privs = $kadm5->get_privs
Return a bitfield representing the kadmin privileges a principal has,
as follows:
get KADM5_PRIV_GET
add KADM5_PRIV_ADD
modify KADM5_PRIV_MODIFY
delete KADM5_PRIV_DELETE
=back
=head1 EXAMPLES
See the unit tests included with this software for examlpes. They can
be found in the F<t/> subdirectory of the distribution.
=head1 FILES
krb.conf Kerberos 5 configuration file
=head1 BUGS
There is no facility for specifying keysalts for methods like
I<create_principal> and I<modify_principal>. This facility is
provided by the Kerberos 5 API and requires an initialized context.
So it probably makes more sense for B<Authen::Krb5(3)> to handle those
functions.
=head1 AUTHOR
Stephen Quinney <squinney@inf.ed.ac.uk>
Author Emeritus: Andrew J. Korty <ajk@iu.edu>
=head1 SEE ALSO
perl(1), perlvar(1), Authen::Krb5(3), Exporter(3), kadmin(8).
=cut
|