From: Greg Hudson Date: Fri, 16 Mar 2012 13:57:50 +0000 (+0000) Subject: Move privileges section in database admin docs X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=9ac2af3d535af1d0909b249cbe7f2191410a818a;p=krb5.git Move privileges section in database admin docs The "Privileges" section in the RST database administration documentation was tucked away in the middle of a section on principal operations. Move it out and put it between policy operations and kdb5_util operations, without changing its content. (We may want to replace this whole section with a reference to the appropriate part of the kadmind man page, but that requires a bit of reconciliation since the kadmind man page doesn't document restrictions yet.) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25775 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/doc/rst_source/krb_admins/database.rst b/doc/rst_source/krb_admins/database.rst index 0f4d8ca02..7ac764f40 100644 --- a/doc/rst_source/krb_admins/database.rst +++ b/doc/rst_source/krb_admins/database.rst @@ -191,10 +191,104 @@ To generate a listing of principals, use the kadmin :end-before: _list_principals_end: +Changing passwords +~~~~~~~~~~~~~~~~~~ + +To change a principal's password use the :ref:`kadmin(1)` +**change_password** command. + +.. include:: admin_commands/kadmin_local.rst + :start-after: _change_password: + :end-before: _change_password_end: + +.. note:: Password changes through kadmin are subject to the same + password policies as would apply to password changes through + :ref:`kpasswd(1)`. + + +Policies +-------- + +A policy is a set of rules governing passwords. Policies can dictate +minimum and maximum password lifetimes, minimum number of characters +and character classes a password must contain, and the number of old +passwords kept in the database. + + +Adding, modifying and deleting policies +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +To add a new policy, use the :ref:`kadmin(1)` **add_policy** command. + +To modify attributes of a principal, use the kadmin **modify_policy** +command. + +To delete a policy, use the kadmin **delete_policy** command. + +.. include:: admin_commands/kadmin_local.rst + :start-after: _add_policy: + :end-before: _add_policy_end: + +.. note:: The policies are created under **realm** container in the + LDAP database. + +.. include:: admin_commands/kadmin_local.rst + :start-after: _modify_policy: + :end-before: _modify_policy_end: + +.. include:: admin_commands/kadmin_local.rst + :start-after: _delete_policy: + :end-before: _delete_policy_end: + +.. note:: You must cancel the policy from *all* principals before + deleting it. The *delete_policy* command will fail if it is + in use by any principals. + + +Retrieving policies +~~~~~~~~~~~~~~~~~~~ + +To retrieve a policy, use the :ref:`kadmin(1)` **get_policy** command. + +You can retrieve the list of policies with the kadmin +**list_policies** command. + +.. include:: admin_commands/kadmin_local.rst + :start-after: _get_policy: + :end-before: _get_policy_end: + +.. include:: admin_commands/kadmin_local.rst + :start-after: _list_policies: + :end-before: _list_policies_end: + + +Updating the history key +~~~~~~~~~~~~~~~~~~~~~~~~ + +If a policy specifies a number of old keys kept of two or more, the +stored old keys are encrypted in a history key, which is found in the +key data of the ``kadmin/history`` principal. + +Currently there is no support for proper rollover of the history key, +but you can change the history key (for example, to use a better +encryption type) at the cost of invalidating currently stored old +keys. To change the history key, run:: + + kadmin: change_password -randkey kadmin/history + +This command will fail if you specify the **-keepold** flag. Only one +new history key will be created, even if you specify multiple key/salt +combinations. + +In the future, we plan to migrate towards encrypting old keys in the +master key instead of the history key, and implementing proper +rollover support for stored old keys. + + .. _privileges: Privileges -~~~~~~~~~~ +---------- Administrative privileges for the Kerberos database are stored in the file kadm5.acl. @@ -221,7 +315,7 @@ in the *Kerberos_principal*. Permissions -########### +~~~~~~~~~~~ The permissions are represented by single letters; UPPER-CASE letters represent negative permissions. The permissions are: @@ -249,7 +343,7 @@ x All privileges (admcil); identical to "\*". Restrictions -############ +~~~~~~~~~~~~ The restrictions are a string of flags. Allowed restrictions are: @@ -295,100 +389,6 @@ modify will not be able to get postdateable tickets or tickets with a life of longer than 9 hours. -Changing passwords -~~~~~~~~~~~~~~~~~~ - -To change a principal's password use the :ref:`kadmin(1)` -**change_password** command. - -.. include:: admin_commands/kadmin_local.rst - :start-after: _change_password: - :end-before: _change_password_end: - -.. note:: Password changes through kadmin are subject to the same - password policies as would apply to password changes through - :ref:`kpasswd(1)`. - - -Policies --------- - -A policy is a set of rules governing passwords. Policies can dictate -minimum and maximum password lifetimes, minimum number of characters -and character classes a password must contain, and the number of old -passwords kept in the database. - - -Adding, modifying and deleting policies -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -To add a new policy, use the :ref:`kadmin(1)` **add_policy** command. - -To modify attributes of a principal, use the kadmin **modify_policy** -command. - -To delete a policy, use the kadmin **delete_policy** command. - -.. include:: admin_commands/kadmin_local.rst - :start-after: _add_policy: - :end-before: _add_policy_end: - -.. note:: The policies are created under **realm** container in the - LDAP database. - -.. include:: admin_commands/kadmin_local.rst - :start-after: _modify_policy: - :end-before: _modify_policy_end: - -.. include:: admin_commands/kadmin_local.rst - :start-after: _delete_policy: - :end-before: _delete_policy_end: - -.. note:: You must cancel the policy from *all* principals before - deleting it. The *delete_policy* command will fail if it is - in use by any principals. - - -Retrieving policies -~~~~~~~~~~~~~~~~~~~ - -To retrieve a policy, use the :ref:`kadmin(1)` **get_policy** command. - -You can retrieve the list of policies with the kadmin -**list_policies** command. - -.. include:: admin_commands/kadmin_local.rst - :start-after: _get_policy: - :end-before: _get_policy_end: - -.. include:: admin_commands/kadmin_local.rst - :start-after: _list_policies: - :end-before: _list_policies_end: - - -Updating the history key -~~~~~~~~~~~~~~~~~~~~~~~~ - -If a policy specifies a number of old keys kept of two or more, the -stored old keys are encrypted in a history key, which is found in the -key data of the ``kadmin/history`` principal. - -Currently there is no support for proper rollover of the history key, -but you can change the history key (for example, to use a better -encryption type) at the cost of invalidating currently stored old -keys. To change the history key, run:: - - kadmin: change_password -randkey kadmin/history - -This command will fail if you specify the **-keepold** flag. Only one -new history key will be created, even if you specify multiple key/salt -combinations. - -In the future, we plan to migrate towards encrypting old keys in the -master key instead of the history key, and implementing proper -rollover support for stored old keys. - - .. _db_operations: Operations on the Kerberos database