README: CSS ADKadmin v2.2
Table of Contents
=====================================================================
css_adkadmin v2.2 BETA
April 2004
=====================================================================
Copyright (c) 2002-2004 Certified Security Solutions, Inc.
This document describes the installation and usage of the
css_adkadmin utility.
The utility is designed for operation on:
* Solaris version 7 and higher
* HP-UX version 11 and higher
* Red hat Linux version 7 and higher
======================================================================
Contact Us
======================================================================
Certified Security Solutions, Inc.
6050 Oak Tree Blvd, suite 390
Independence, OH 44131
Phone: 216.674.0700
Fax: 216.674.0701
Email: comments@css-security.com
URL: www.css-security.com
======================================================================
Installing the Files
======================================================================
This release includes the files listed below.
css_adkadmin
install.sh
README
LICENSE
Run this command with root privilege to install css_adkadmin:
./install.sh
This is the directory structure of the installed components:
File Perms Owner Group
---- ----- ----- -----
/opt/cssi/adkadmin_2.2/bin/css_adkadmin 755 root root
/opt/cssi/adkadmin_2.2/doc/LICENSE 644 root root
/opt/cssi/adkadmin_2.2/doc/README 644 root root
Additionally, the symbolic link /usr/bin/css_adkadmin is created.
The ownership, group and permissions can be tailored to meet the needs
of your environment (to restrict access to a limited group of users).
Should you desire to uninstall css_adkadmin, run this command with
root privilege:
./install.sh -u
======================================================================
Configuration
======================================================================
The css_adkadmin utility requires that the user have a principal
(user account) in the Active Directory database with sufficient
permissions to add, modify and delete users and computers from the
database.
Each system with css_adkadmin installed must have the Kerberos
configuration file set up. This file is typically found in
/etc/krb5.conf. At a minimum, each Kerberos realm that is serviced
by an Active Directory domain controller must be configured.
This is an example entry for the realm "COMPANY.COM" that is
serviced by the Active Directory domain controller "dc1.company.com":
COMPANY.COM = {
kdc = dc1.company.com:88
}
======================================================================
Description of Functionality
======================================================================
The css_adkadmin utility is designed to allow a system administrator
to manage user and service principals (both user accounts and computer
accounts) in a Microsoft Active Directory database from a UNIX host.
The tool provides the ability to:
1. Add user and computer accounts with the service principal
attribute.
2. Add user accounts without the service principal attribute.
3. Modify the password for any Active Directory user or computer
account and write it, as a key, to a key table file on the UNIX
host.
4. Modify attributes for any Active Directory user or computer
account.
5. View attributes for any Active Directory user or computer
account.
One common problem that is encountered when using Active Directory as
a security server for Unix machines is creating service key table
entries for principals on the Unix machines. This typically involves
creating a key table on Windows using ktpass, securely transferring
the key table to the Unix machine and finally either copying it to
the correct location with correct permissions or merging the new
key into the existing key table using the native key table
configuration tool (typically ktutil). This can be accomplished in
one step using css_adkadmin. See the usage examples, below.
Terminology:
For the purposes of this README, these three account types,
"computer account", "service principal" and "user account", are
defined as follows:
A "computer account" is an Active Directory account that has a
name of the form "host/instance@REALM" and has the Active
Directory service principal attribute set.
A "service principal" is an Active Directory account that does not
have a name of the form "host/instance@REALM" but does have the
Active Directory service principal attribute set.
A "user account" is an Active Directory account that does not have
a name of the form "host/instance@REALM" and also does not have
the service principal attribute set.
Active Directory makes a distinction between service principals of
the form "host/instance" and other service principals. Accounts
with the service principal attribute that begin with "host" are
computer accounts. Accounts with the service principal attribute
that begin with something other than "host" are "service principal"
accounts.
The following is an example of a service principal:
igloo/machine1.company.com@COMPANY.COM
The following is an example of a computer account:
host/machine2.company.com@COMPANY.COM
Usage:
css_adkadmin [-v] [-r realm] [-p principal] [-w password]
[-c cache] [-k [-t keytab]] [-s admin_server[:port]] [-q query]
-c cache
Specifies which credentials cache to use. Note that if a
principal is also specified, it must match the default
credentials cache principal. Otherwise a temporary credentials
cache will be used.
-k [-t keytab]
The -k specifies to use a key table for the principal's key
rather than reading the credentials cache or prompting the
user. The -t specifies which key table file to use. The default
key table is the MIT default /etc/krb5.keytab.
-p principal
Specifies the principal to be used to administer accounts. If
not specified, the default principal in the credentials cache
will be used. If that is not available, the principal will be
prompted for. Note that if the specified principal does not
match the default principal in the credentials cache, a
temporary credentials cache will be used.
-q query
Query may be any valid command that may be used in interactive
mode. Use the command "help" for more information on available
commands.
-r realm
Specifies the name of the realm to be contacted. If not
specified, an attempt is made to determine the realm based on
other options such as "-s" and "-p". As a last resort the
default realm is used.
-s admin-server[:port]
Specifies the name of the Active Directory domain controller
and, optionally, the port to be used to make the LDAP
connection to the domain controller. If not specified, the
domain controller will be determined based on the realm.
-v
Specifies verbose output.
-w password
Specifies the password to be used for the administrator
principal. If not specified and a password is required,
it will be prompted for.
Commands:
Most of the below commands can be executed either from within the
css_adkadmin command shell (interactive mode) or from the UNIX
command line using the query (-q) option. This allows for scripting
of the commands. For example, to add user principal "fsmith" with
password "password" via a script, type the following (you will be
prompted for the password for administrative principal "admin" if
valid credentials for this administrative user do not already exist
in the credentials cache):
css_adkadmin -p admin -q "ank -user fsmith -pw password"
To add the same user within the css_adkadmin command shell type
the following (again, you will be prompted for the password for
administrative principal "admin" if valid credentials for this
administrative user do not already exist in the credentials cache):
css_adkadmin -p admin
adkadmin: ank -user fsmith
Enter new password for fsmith@REALM: password
Confirm password for fsmith@REALM: password
You may type "help" followed by a command when you are within the
css_adkadmin command shell or use the -q option on css_adkadmin
from the UNIX command line followed by help and a command in
quotes for assistance with any command. For example, from within
the css_adkadmin shell, type the following for help in adding
a principal:
adkadmin: help ank
From the UNIX command line, type the following for help in
adding a principal:
css_adkadmin -q "help ank"
Available commands are:
Add a principal:
add_principal, addprinc, ank
Usage:
add_principal [options] principal
Options:
{+|-}allow_delegation
The -allow_delegation option sets the userAccountCtrl flag
UF_NOT_DELEGATED which prevents the principal from being
delegated. The +allow_delegation option doesn't and is the
default.
{+|-}allow_svr
The +allow_svr option sets the servicePrincipalName
attribute which allows the principal to act as a service.
The -allow_svr option doesn't and is the default for user
principals. The +allow_svr option is the default for
computer and service principals. Note that Active
Directory may require service principals to have exactly
one or two instances (e.g. service/instance1/instance2@REALM).
-attr name=value
Sets an Active Directory attribute. Name is the name of the
attribute and value is the value to be set. This option may
be used multiple times.
-group group
Group is expected to be in X500 format (e.g.
OU=subgroup,CN=Users). In the simple case of a single level
(e.g. CN=Users), the CN= or OU= may be omitted. The default
group is CN=Computers for computer principals and CN=Users
for all other principals. It is recommended that the desired
group be explicitly specified.
-k [keytab]
Specifies a key table entry is to be created. Keytab
specifies the name of the key table to be used. The default
key table name is the MIT default /etc/krb5.keytab.
{+|-}needchange
The +needchange option forces a password change. The
-needchange option doesn't and is the default. The
+needchange option is not allowed when using a random key.
-pw password
Specifies the password to be used for the principal. If a
password is required but not specified by using this option,
it will be prompted for.
{+|-}pwexpire
The -pwexpire option sets the userAccountCtrl flag
UF_DONT_EXPIRE_PASSWD. The +pwexpire option doesn't and is
the default for user principals. The -pwexpire option is
the default for service and computer principals.
{+|-}randkey
The +randkey option specifies that a random password is to
be used for the principal. The -randkey option specifies
that a non-random password is to be used. The +randkey
option is the default for service and computer principals.
The -randkey option is the default for user principals.
{+|-}requires_hwauth
The +requires_hwauth option sets the userAccountCtrl
flag UF_SMARTCARD_REQUIRED. The -requires_hwauth option
doesn't and is the default. Hwauth is not allowed for
computer principals.
{+|-}trusted_for_deleg
The +trusted_for_deleg option sets the userAccountCtrl flag
UF_TRUSTED_FOR_DELEGATION which allows the principal to
receive delegated credentials. The -trusted_for_deleg option
doesn't and is the default.
{+|-}use_des
The +use_des option sets the userAccountCtrl flag
UF_USE_DES_KEY_ONLY to support older applications that
don't support RC4-HMAC. The -use_des option doesn't and is
the default. +use_des is not allowed for user principals.
-user
Specifies that the principal is a user principal.
Change a principal password:
change_password, cpw
Usage:
change_password [options] principal
Options:
-pw password
Specifies the password to be used for the principal. If a
password is required but not specified by using this option,
it will be prompted for.
{+|-}randkey
The +randkey option specifies that a random password is to
be used for the principal. The -randkey specifies that a
non-random password is to be used. The -randkey option is
the default.
Delete a principal:
delete_principal, delprinc
Usage:
delete_principal [options] principal
Options:
-force
Specifies not to ask for confirmation.
List account information for an account (the "account" field
differs from the "principal" field in Active Directory, which is
most significant for principals with an instance--a principal
called "host/mymachine.domain.com@REALM" will have an account
in Active Directory along the lines of "mymachinewdpngq$"):
get_account, getacct
Usage:
get_account [options] account
Options:
-terse
Specifies to list summary information only. By default the
entire account entry will be listed.
List account information for a principal (the "account" field
differs from the "principal" field in Active Directory, which is
most significant for principals with an instance--a principal
called "host/mymachine.domain.com@REALM" will have an account
in Active Directory along the lines of "mymachinewdpngq$"):
get_principal, getprinc
Usage:
get_principal [options] principal
Options:
-terse
Specifies to list summary information only. By default the
entire account entry will be listed.
Add an entry to a service key table:
ktadd, xst
Usage:
ktadd [options] principal
Options:
-k keytab
Keytab specifies the name of the key table to be used. The
default key table name is the MIT default /etc/krb5.keytab.
-pw password
Specifies the password to be used for the principal. If a
password is required but not specified by using this option,
it will be prompted for.
{+|-}randkey
The +randkey option specifies that a random password is to be
used for the principal. The -randkey option specifies that
a non-random password is to be used. The +randkey option is
the default.
Note: css_adkadmin must be run with root privilege when adding to a
service key table that is only writable by root. This is
typically the case when adding keys to /etc/krb5.keytab, for
example.
List all principals in the database:
list_principals, listprincs, get_principals, getprincs,
list_entries, listentries, get_entries, getentries
Usage:
list_principals [options] [filter]
Options:
-verbose
Specifies to list the entire account entry. By default
only summary information will be listed.
Filter:
Uses the format defined in RFC 2254, e.g. (sAMAccountName=z*).
Modify a principal:
modify_principal, modprinc
Usage:
modify_principal [options] principal
Options:
{+|-}allow_delegation
The -allow_delegation option sets the userAccountCtrl flag
UF_NOT_DELEGATED which prevents the principal from being
delegated. The +allow_delegation option clears the
UF_NOT_DELEGATED flag.
{+|-}allow_svr
The +allow_svr option sets the servicePrincipalName
attribute which allows the principal to act as a service.
The -allow_svr option clears the servicePrincipalName
attribute. Note that Active Directory may require service
principals to have exactly one or two instances (e.g.
service/instance1/instance2@REALM).v
-attr {add|delete|replace}=name=value
Alters an Active Directory attribute. Name is the name
of the attribute. Value is the value to be set or removed.
Note that replace will replace all existing values with
the new value. To replace one value, delete the old value
and add the new value. This option may be used multiple
times.
-force
Specifies not to ask for confirmation.
+needchange
The +needchange option forces a password change. Once set
it cannot be unset.
{+|-}pwexpire
The -pwexpire option sets the userAccountCtrl flag
UF_DONT_EXPIRE_PASSWD. The +pwexpire option clears the
UF_DONT_EXPIRE_PASSWD flag.
{+|-}requires_hwauth
The +requires_hwauth option sets the userAccountCtrl flag
UF_SMARTCARD_REQUIRED. The -requires_hwauth option clears
the UF_SMARTCARD_REQUIRED flag. Hwauth is not allowed for
computer principals.
{+|-}trusted_for_deleg
The +trusted_for_deleg option sets the userAccountCtrl flag
UF_TRUSTED_FOR_DELEGATION which allows the principal to
receive delegated credentials. The -trusted_for_deleg
option clears the UF_TRUSTED_FOR_DELEGATION flag.
{+|-}use_des
The +use_des option sets the userAccountCtrl flag
UF_USE_DES_KEY_ONLY to support older applications which don't
support RC4-HMAC. The -use_des option clears the
UF_USE_DES_KEY_ONLY flag.
List available requests (help):
list_requests, lr, help, ?
Exit application:
quit, exit, q
======================================================================
Examples
======================================================================
1. From the UNIX command line add a computer account in the default
REALM with a random password using the ID "Administrator" with
password "password", and add a key table entry for it to the
default key table:
css_adkadmin -p Administrator -w password \
-q "ank host/machine1.mydomain.com"
css_adkadmin -q "ktadd host/machine1.mydomain.com"
Alternately, this can be accomplished in one command as follows:
css_adkadmin -p Administrator -w password \
-q "ank -k host/machine1.mydomain.com"
2. From within the css_adkadmin command shell, add a service principal
in the default REALM with a random password to the group
"services" and add a key table entry for it to
/etc/krb5/krb5.keytab:
css_adkadmin -p Administrator -w password
adkadmin: ank -group ou=services,dc=mydomain,dc=com \
igloo/machine2.mydomain.com
adkadmin: ktadd -k /etc/krb5/krb5.keytab \
igloo/machine2.mydomain.com
Alternately, this can be accomplished in one command as follows:
adkadmin: ank -group ou=services,dc=mydomain,dc=com \
-k /etc/krb5/krb5.keytab igloo/machine2.mydomain.com
Note: For this example, css_adkadmin must be run with root privilege
in order to add the service key to /etc/krb5/krb5.keytab,
because this file is typically only writable by root.
3. From within the css_adkadmin command shell, add a computer account
to group "Computers" in the default REALM, choose to specify
a password (rather than accept the default of generating a random
key), and provide the password in the command:
css_adkadmin -p Administrator -w password
adkadmin: ank -group cn=Computers -randkey -pw neatopw \
host/machine3.mydomain.com
4. From within the css_adkadmin command shell, add a user account
to group "Users" in non-default REALM "COMPANY.COM" (this REALM
must be defined in the [realms] section of your krb5.conf file)
and have the tool prompt for the user's password:
css_adkadmin -p Administrator -r COMPANY.COM -w password
adkadmin: ank -group Users -user fsmith@COMPANY.COM
5. From within the css_adkadmin command shell, add a user account
with password "pass1" to the group "OU=Administrators,CN=Users" in
the default REALM of "DC=mydomain,DC=com":
css_adkadmin -p Administrator -w password
adkadmin: ank -group ou=Administrators,cn=Users -pw pass1 \
-user jsmith@MYDOMAIN.COM
6. From within the css_adkadmin command shell, change a service
principal's password to a new random value and add a key table
entry to the /tmp/keytab key table:
css_adkadmin -p Administrator -w password
adkadmin: ktadd -k /tmp/keytab +randkey igloo/machine2.mydomain.com
7. From within the css_adkadmin command shell, modify the
homeDirectory attribute for a user account:
css_adkadmin -p Administrator -w password
adkadmin: modprinc -attr replace=homeDirectory=/home/jsmith jsmith
8. From within the css_adkadmin command shell, modify the
description attribute for a service principal and
opt not to see the confirmation prompt:
css_adkadmin -p Administrator -w password
adkadmin: modprinc -force -attr replace=description="Service \
principal for Igloo application" \
igloo/machine2.mydomain.com
======================================================================
Change History
======================================================================
Version 2.2:
- Provide single install package for all supported Red Hat versions.
- Add support for RC4_HMAC. See new +use_des and -use_des options.
See Known Issues section, below.
- Add function to continue to renew the LDAP connection to Active
Directory while css_adkadmin is open in interactive mode and idle.
This resolves the timeout error, "Can't contact LDAP server", that
previously occurred when the Active Directory session lifetime
was reached--by default 15 minutes of inactivity.
- Add function to compare the identified domain controller to the
identified domain and produce an error message if there is a
domain (realm) mismatch.
- Fixed issue where user-specified account description was not
added in Active Directory when new account was created.
- Fixed issue where OS information for a computer account was not
added to Active Directory when a new computer account was created.
Version 2.1:
- Add support for HP-UX and Red Hat version 9.x.
- Implement additional level of verbosity for debugging (-v -v).
Version 2.0:
- Initial C-based release.
======================================================================
Known Issues
======================================================================
Kinit attempt using key stored in key table (kinit -k) hangs
By default, css_adkadmin uses the RC4-HMAC encryption type for keys
written to a key table. Older versions of Kerberos tools that don't
support the RC4-HMAC encryption type, including MIT kinit versions
prior to release 1.3.1, will be unable to decrypt these keys and
will fail authentication. In some cases kinit may hang under these
circumstances. To avoid this, use the +use_des option when creating
principals whose keys will be stored in a key table and used for
authentication with tools that do not support RC4-HMAC.
Slow response time or response timeout
When css_adkadmin is used while one or more Active Directory
servers in a forest is down or unresponsive, css_adkadmin may be
very slow to respond to requests or may timeout while waiting for
a response. This may occur even if the server to which css_adkadmin
is directing its request is functioning normally.
Segmentation fault (core dump)
When css_adkadmin access is attempted based on a key table and a
valid key table entry is not found, a segmentation fault may occur.
This issue is only known to affect Linux.
Error: Message stream modified setting password
When css_adkadmin is used in interactive mode, if the Kerberos
credentials for this css_adkadmin session are replaced or updated
(kinit, Kerberized login), the error "Message stream modified
setting password" occurs when the next css_adkadmin request is
made. Exit css_adkadmin and re-enter to resolve. Use css_adkadmin
with the -c option to avoid.
Error: KDC has no support for encryption type while getting initial
credentials
This error occurs when css_adkadmin access is attempted as user
"Administrator" with password "password" if the password for the
user has not been changed since the server's promotion to Active
Directory. See:
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
======================================================================
Notices
======================================================================
This product includes software developed at the Massachusetts
Institute of Technology (http://www.mit.edu/).
This product includes software developed by the OpenLDAP Foundation
(http://www.openldap.org/).
This product includes software developed by Computing Services
at Carnegie Mellon University (http://www.cmu.edu/computing/).
======================================================================
Certified Security Solutions Notices
======================================================================
Copyright (c) 2002-2004 Certified Security Solutions, Inc.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of Certified Security Solutions nor the names of its
contributors may be used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
======================================================================
MIT Notices
======================================================================
Copyright (C) 1985-2003 by the Massachusetts Institute of Technology.
All rights reserved.
Export of this software from the United States of America may require
a specific license from the United States Government. It is the
responsibility of any person or organization contemplating export to
obtain such a license before exporting.
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
distribute this software and its documentation for any purpose and
without fee is hereby granted, provided that the above copyright
notice appear in all copies and that both that copyright notice and
this permission notice appear in supporting documentation, and that
the name of M.I.T. not be used in advertising or publicity pertaining
to distribution of the software without specific, written prior
permission. Furthermore if you modify this software you must label
your software as modified software and not distribute it in such a
fashion that it might be confused with the original MIT software.
M.I.T. makes no representations about the suitability of this software
for any purpose. It is provided "as is" without express or implied
warranty.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Individual source code files are copyright MIT, Cygnus Support,
OpenVision, Oracle, Sun Soft, FundsXpress, and others.
Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira,
and Zephyr are trademarks of the Massachusetts Institute of Technology
(MIT). No commercial use of these trademarks may be made without
prior written permission of MIT.
"Commercial use" means use of a name in a product or other for-profit
manner. It does NOT prevent a commercial firm from referring to the
MIT trademarks in order to convey information (although in doing so,
recognition of their trademark status should be given).
----
Copyright 1987, 1989 by the Student Information Processing Board
of the Massachusetts Institute of Technology
Permission to use, copy, modify, and distribute this software
and its documentation for any purpose and without fee is
hereby granted, provided that the above copyright notice
appear in all copies and that both that copyright notice and
this permission notice appear in supporting documentation,
and that the names of M.I.T. and the M.I.T. S.I.P.B. not be
used in advertising or publicity pertaining to distribution
of the software without specific, written prior permission.
Furthermore if you modify this software you must label
your software as modified software and not distribute it in such a
fashion that it might be confused with the original M.I.T. software.
M.I.T. and the M.I.T. S.I.P.B. make no representations about
the suitability of this software for any purpose. It is
provided "as is" without express or implied warranty.
======================================================================
Cyrus SASL Notices
======================================================================
Copyright (c) 2001 Carnegie Mellon University. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the
distribution.
3. The name "Carnegie Mellon University" must not be used to
endorse or promote products derived from this software without
prior written permission. For permission or any other legal
details, please contact
Office of Technology Transfer
Carnegie Mellon University
5000 Forbes Avenue
Pittsburgh, PA 15213-3890
(412) 268-4387, fax: (412) 268-7395
tech-transfer@andrew.cmu.edu
4. Redistributions of any form whatsoever must retain the following
acknowledgment:
"This product includes software developed by Computing Services
at Carnegie Mellon University (http://www.cmu.edu/computing/)."
CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO
THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE
FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
======================================================================
OpenLDAP Notices
======================================================================
Copyright 1998-2003 The OpenLDAP Foundation
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP
Public License.
A copy of this license is available in the file LICENSE in the
top-level directory of the distribution or, alternatively, at
.
OpenLDAP is a registered trademark of the OpenLDAP Foundation.
Individual files and/or contributed packages may be copyright by
other parties and subject to additional restrictions.
This work is derived from the University of Michigan LDAP v3.3
distribution. Information concerning this software is available
at .
This work also contains materials derived from public sources.
Additional information about OpenLDAP can be obtained at
.
----
The OpenLDAP Public License
Version 2.8, 17 August 2003
Redistribution and use of this software and associated documentation
("Software"), with or without modification, are permitted provided
that the following conditions are met:
1. Redistributions in source form must retain copyright statements
and notices,
2. Redistributions in binary form must reproduce applicable copyright
statements and notices, this list of conditions, and the following
disclaimer in the documentation and/or other materials provided
with the distribution, and
3. Redistributions must contain a verbatim copy of this document.
The OpenLDAP Foundation may revise this license from time to time.
Each revision is distinguished by a version number. You may use
this Software under terms of this license revision or under the
terms of any subsequent revision of the license.
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS
CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S)
OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
The names of the authors and copyright holders must not be used in
advertising or otherwise to promote the sale, use or other dealing
in this Software without specific, written prior permission. Title
to copyright in this Software shall at all times remain with copyright
holders.
OpenLDAP is a registered trademark of the OpenLDAP Foundation.
Copyright 1999-2003 The OpenLDAP Foundation, Redwood City,
California, USA. All Rights Reserved. Permission to copy and
distribute verbatim copies of this document is granted.
----
Portions Copyright 1998-2003 Kurt D. Zeilenga.
Portions Copyright 1998-2003 Net Boolean Incorporated.
Portions Copyright 2001-2003 IBM Corporation.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP
Public License.
----
Portions Copyright 1999-2003 Howard Y.H. Chu.
Portions Copyright 1999-2003 Symas Corporation.
Portions Copyright 1998-2003 Hallvard B. Furuseth.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that this notice is preserved.
The names of the copyright holders may not be used to endorse or
promote products derived from this software without their specific
prior written permission. This software is provided ``as is''
without express or implied warranty.
----
Portions Copyright (c) 1992-1996 Regents of the University of Michigan.
All rights reserved.
Redistribution and use in source and binary forms are permitted
provided that this notice is preserved and that due credit is given
to the University of Michigan at Ann Arbor. The name of the
University may not be used to endorse or promote products derived
from this software without specific prior written permission. This
software is provided ``as is'' without express or implied warranty.
