diff options
Diffstat (limited to 'crypto/heimdal/lib/kadm5/iprop.8')
-rw-r--r-- | crypto/heimdal/lib/kadm5/iprop.8 | 223 |
1 files changed, 223 insertions, 0 deletions
diff --git a/crypto/heimdal/lib/kadm5/iprop.8 b/crypto/heimdal/lib/kadm5/iprop.8 new file mode 100644 index 0000000..d1e55cc --- /dev/null +++ b/crypto/heimdal/lib/kadm5/iprop.8 @@ -0,0 +1,223 @@ +.\" $Id: iprop.8 21940 2007-09-28 22:28:09Z lha $ +.\" +.\" Copyright (c) 2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.Dd May 24, 2005 +.Dt IPROP 8 +.Os Heimdal +.Sh NAME +.Nm iprop , +.Nm ipropd-master , +.Nm ipropd-slave +.Nd +propagate changes to a Heimdal Kerberos master KDC to slave KDCs +.Sh SYNOPSIS +.Nm ipropd-master +.Oo Fl c Ar string \*(Ba Xo +.Fl -config-file= Ns Ar string +.Xc +.Oc +.Oo Fl r Ar string \*(Ba Xo +.Fl -realm= Ns Ar string +.Xc +.Oc +.Oo Fl k Ar kspec \*(Ba Xo +.Fl -keytab= Ns Ar kspec +.Xc +.Oc +.Oo Fl d Ar file \*(Ba Xo +.Fl -database= Ns Ar file +.Xc +.Oc +.Op Fl -slave-stats-file= Ns Ar file +.Op Fl -time-missing= Ns Ar time +.Op Fl -time-gone= Ns Ar time +.Op Fl -detach +.Op Fl -version +.Op Fl -help +.Nm ipropd-slave +.Oo Fl c Ar string \*(Ba Xo +.Fl -config-file= Ns Ar string +.Xc +.Oc +.Oo Fl r Ar string \*(Ba Xo +.Fl -realm= Ns Ar string +.Xc +.Oc +.Oo Fl k Ar kspec \*(Ba Xo +.Fl -keytab= Ns Ar kspec +.Xc +.Oc +.Op Fl -time-lost= Ns Ar time +.Op Fl -detach +.Op Fl -version +.Op Fl -help +.Ar master +.Pp +.Sh DESCRIPTION +.Nm ipropd-master +is used to propagate changes to a Heimdal Kerberos database from the +master Kerberos server on which it runs to slave Kerberos servers +running +.Nm ipropd-slave . +.Pp +The slaves are specified by the contents of the +.Pa slaves +file in the KDC's database directory, e.g.\& +.Pa /var/heimdal/slaves . +This has principals one per-line of the form +.Dl iprop/ Ns Ar slave Ns @ Ns Ar REALM +where +.Ar slave +is the hostname of the slave server in the given +.Ar REALM , +e.g.\& +.Dl iprop/kerberos-1.example.com@EXAMPLE.COM +On a slave, the argument +.Fa master +specifies the hostname of the master server from which to receive updates. +.Pp +In contrast to +.Xr hprop 8 , +which sends the whole database to the slaves regularly, +.Nm +normally sends only the changes as they happen on the master. The +master keeps track of all the changes by assigning a version number to +every change to the database. The slaves know which was the latest +version they saw, and in this way it can be determined if they are in +sync or not. A log of all the changes is kept on the master. When a +slave is at an older version than the oldest one in the log, the whole +database has to be sent. +.Pp +The changes are propagated over a secure channel (on port 2121 by +default). This should normally be defined as +.Dq iprop/tcp +in +.Pa /etc/services +or another source of the services database. The master and slaves +must each have access to a keytab with keys for the +.Nm iprop +service principal on the local host. +.Pp +There is a keep-alive feature logged in the master's +.Pa slave-stats +file (e.g.\& +.Pa /var/heimdal/slave-stats ) . +.Pp +Supported options for +.Nm ipropd-master : +.Bl -tag -width Ds +.It Xo +.Fl c Ar string , +.Fl -config-file= Ns Ar string +.Xc +.It Xo +.Fl r Ar string , +.Fl -realm= Ns Ar string +.Xc +.It Xo +.Fl k Ar kspec , +.Fl -keytab= Ns Ar kspec +.Xc +keytab to get authentication from +.It Xo +.Fl d Ar file , +.Fl -database= Ns Ar file +.Xc +Database (default per KDC) +.It Xo +.Fl -slave-stats-file= Ns Ar file +.Xc +file for slave status information +.It Xo +.Fl -time-missing= Ns Ar time +.Xc +time before slave is polled for presence (default 2 min) +.It Xo +.Fl -time-gone= Ns Ar time +.Xc +time of inactivity after which a slave is considered gone (default 5 min) +.It Xo +.Fl -detach +.Xc +detach from console +.It Xo +.Fl -version +.Xc +.It Xo +.Fl -help +.Xc +.El +.Pp +Supported options for +.Nm ipropd-slave : +.Bl -tag -width Ds +.It Xo +.Fl c Ar string , +.Fl -config-file= Ns Ar string +.Xc +.It Xo +.Fl r Ar string , +.Fl -realm= Ns Ar string +.Xc +.It Xo +.Fl k Ar kspec , +.Fl -keytab= Ns Ar kspec +.Xc +keytab to get authentication from +.It Xo +.Fl -time-lost= Ns Ar time +.Xc +time before server is considered lost (default 5 min) +.It Xo +.Fl -detach +.Xc +detach from console +.It Xo +.Fl -version +.Xc +.It Xo +.Fl -help +.Xc +.El +Time arguments for the relevant options above may be specified in forms +like 5 min, 300 s, or simply a number of seconds. +.Sh FILES +.Pa slaves , +.Pa slave-stats +in the database directory. +.Sh SEE ALSO +.Xr hpropd 8 , +.Xr hprop 8 , +.Xr krb5.conf 8 , +.Xr kdc 8 , +.Xr iprop-log 8 . |