diff --git a/COPYING b/COPYING new file mode 100644 index 0000000..5c6b0eb --- /dev/null +++ b/COPYING @@ -0,0 +1,22 @@ +The MIT License (MIT) + +Copyright (c) 2013 Red Hat, Inc. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + diff --git a/MANIFEST.in b/MANIFEST.in new file mode 100644 index 0000000..6ed3a2a --- /dev/null +++ b/MANIFEST.in @@ -0,0 +1 @@ +include README COPYING diff --git a/README b/README new file mode 100644 index 0000000..cc2bf57 --- /dev/null +++ b/README @@ -0,0 +1,85 @@ +Welcome to kdcproxy! +===================== + +This package contains a WSGI module for proxying KDC requests over HTTP by +following the [MS-KKDCP] protocol. It aims to be simple to deploy, with +minimal configuration. + +Deploying kdcproxy +================== + +The kdcproxy module follows the standard WSGI protocol for deploying Python +web applications. This makes configuration simple. Simply load up your favorite +WSGI-enabled web server and point it to the module. For example, if you wish +to use mod_wsgi, try something like this: + + WSGIScriptAlias /kdc /path/to/kdcproxy/__init__.py + +For more information, see the documentation of your WSGI server. + +Configuring kdcproxy +==================== + +When kdcproxy receives a request, it needs to know where to proxy it to. This +is the purpose of configuration: discovering where to send kerberos requests. + +One important note: where the underlying configuration does not specify TCP or +UDP, both will be attempted. TCP will be attempted before UDP. This permits the +use of longer timeouts and prevents possible lockouts when the KDC packets +contain OTP token codes (which should preferably be sent to only one server). + +Automatic Configuration +----------------------- +By default, no configuration is necessary. In this case, kdcproxy will use +REALM DNS SRV record lookups to determine remote KDC locations. + +/etc/kdcproxy.conf +------------------ +If you wish to have more detailed configuration, the first place you can +configure kdcproxy is /etc/kdcproxy.conf. This configuration file takes precedence +over all other configuration modules. This file is an ini-style configuration with +a special section **[global]**. Two parameters are available in this +section: **configs** and **use_dns**. + +The **use_dns** allows you to enable or disable use of DNS SRV record lookups. + +The **configs** parameter allows you to load other configuration modules for +finding configuration in other places. The configuration modules specified in +here will have priority in the order listed. For instance, if you wished to read +configuration from MIT libkrb5, you would set the following: + + [global] + configs = mit + +Aside from the **[global]** section, you may also specify manual configuration for +realms. In this case, each section is the name of the realm and the parameters are +**kerberos** or **kpasswd**. These specify the locations of the remote servers for +krb5 AS requests and kpasswd requests, respectively. For example: + + [EXAMPLE.COM] + kerberos = kerberos+tcp://kdc.example.com:88 + kpasswd = kpasswd+tcp://kpasswd.example.com:464 + +The realm configuration parameters may list multiple servers separated by a space. +The order the realms are specified in will be respected by kdcproxy when +forwarding requests. The port number is optional. Possible schemes are: + +* kerberos:// +* kerberos+tcp:// +* kerberos+udp:// +* kpasswd:// +* kpasswd+tcp:// +* kpasswd+udp:// + +MIT libkrb5 +----------- + +If you load the **mit** config module in /etc/kdcproxy.conf, kdcproxy will also +read the config using libkrb5 (usually /etc/krb5.conf). If this module is used, +kdcproxy will respect the DNS settings from the **[libdefaults]** section and +the realm configuration from the **[realms]** section. + +For more information, see the documentation for MIT's krb5.conf. + +[MS-KKDCP]: http://msdn.microsoft.com/en-us/library/hh553774.aspx + diff --git a/README.md b/README.md deleted file mode 100644 index cc2bf57..0000000 --- a/README.md +++ /dev/null @@ -1,85 +0,0 @@ -Welcome to kdcproxy! -===================== - -This package contains a WSGI module for proxying KDC requests over HTTP by -following the [MS-KKDCP] protocol. It aims to be simple to deploy, with -minimal configuration. - -Deploying kdcproxy -================== - -The kdcproxy module follows the standard WSGI protocol for deploying Python -web applications. This makes configuration simple. Simply load up your favorite -WSGI-enabled web server and point it to the module. For example, if you wish -to use mod_wsgi, try something like this: - - WSGIScriptAlias /kdc /path/to/kdcproxy/__init__.py - -For more information, see the documentation of your WSGI server. - -Configuring kdcproxy -==================== - -When kdcproxy receives a request, it needs to know where to proxy it to. This -is the purpose of configuration: discovering where to send kerberos requests. - -One important note: where the underlying configuration does not specify TCP or -UDP, both will be attempted. TCP will be attempted before UDP. This permits the -use of longer timeouts and prevents possible lockouts when the KDC packets -contain OTP token codes (which should preferably be sent to only one server). - -Automatic Configuration ------------------------ -By default, no configuration is necessary. In this case, kdcproxy will use -REALM DNS SRV record lookups to determine remote KDC locations. - -/etc/kdcproxy.conf ------------------- -If you wish to have more detailed configuration, the first place you can -configure kdcproxy is /etc/kdcproxy.conf. This configuration file takes precedence -over all other configuration modules. This file is an ini-style configuration with -a special section **[global]**. Two parameters are available in this -section: **configs** and **use_dns**. - -The **use_dns** allows you to enable or disable use of DNS SRV record lookups. - -The **configs** parameter allows you to load other configuration modules for -finding configuration in other places. The configuration modules specified in -here will have priority in the order listed. For instance, if you wished to read -configuration from MIT libkrb5, you would set the following: - - [global] - configs = mit - -Aside from the **[global]** section, you may also specify manual configuration for -realms. In this case, each section is the name of the realm and the parameters are -**kerberos** or **kpasswd**. These specify the locations of the remote servers for -krb5 AS requests and kpasswd requests, respectively. For example: - - [EXAMPLE.COM] - kerberos = kerberos+tcp://kdc.example.com:88 - kpasswd = kpasswd+tcp://kpasswd.example.com:464 - -The realm configuration parameters may list multiple servers separated by a space. -The order the realms are specified in will be respected by kdcproxy when -forwarding requests. The port number is optional. Possible schemes are: - -* kerberos:// -* kerberos+tcp:// -* kerberos+udp:// -* kpasswd:// -* kpasswd+tcp:// -* kpasswd+udp:// - -MIT libkrb5 ------------ - -If you load the **mit** config module in /etc/kdcproxy.conf, kdcproxy will also -read the config using libkrb5 (usually /etc/krb5.conf). If this module is used, -kdcproxy will respect the DNS settings from the **[libdefaults]** section and -the realm configuration from the **[realms]** section. - -For more information, see the documentation for MIT's krb5.conf. - -[MS-KKDCP]: http://msdn.microsoft.com/en-us/library/hh553774.aspx - diff --git a/README.md b/README.md new file mode 120000 index 0000000..100b938 --- /dev/null +++ b/README.md @@ -0,0 +1 @@ +README \ No newline at end of file diff --git a/setup.py b/setup.py index ec7e9d6..ea5d875 100644 --- a/setup.py +++ b/setup.py @@ -22,14 +22,17 @@ # THE SOFTWARE. import os +import sys from distutils.core import setup -# Utility function to read the README file. -# Used for the long_description. It's nice, because now 1) we have a top level -# README file and 2) it's easier to type in the README file than to put a raw -# string in below ... +dns = "dnspython" +if sys.version_info.major == 3: + dns += "3" + def read(fname): - return open(os.path.join(os.path.dirname(__file__), fname)).read() + fname = os.path.join(os.path.dirname(__file__), fname) + with open(fname) as f: + return f.read() setup( name = "kdcproxy", @@ -40,11 +43,17 @@ def read(fname): license = "MIT", keywords = "krb5 proxy http https kerberos", url = "http://github.com/npmccallum/kdcproxy", - packages=['kdcproxy'], - long_description=read('README.md'), + packages=['kdcproxy', 'kdcproxy.config'], + long_description=read('README'), + requires=['pyasn1', dns], classifiers=[ "Development Status :: 3 - Alpha", - "Topic :: Utilities", + "Environment :: Web Environment", + "Intended Audience :: System Administrators", "License :: OSI Approved :: MIT License", + "Operating System :: OS Independent", + "Programming Language :: Python :: 2.7", + "Programming Language :: Python :: 3", + "Topic :: Internet :: Proxy Servers", ], )