New k5login option proposal for krb5_kuserok
Simo Sorce
ssorce at redhat.com
Thu Sep 30 09:19:13 EDT 2010
On Wed, 29 Sep 2010 19:21:35 -0400 (EDT)
ghudson at MIT.EDU wrote:
> If we go in the direction of that framework, I see the following new
> features to handle krb5_kuserok-related requests:
>
> * Make the interface pluggable, so that a database plugin can be
> added without making krb5 reliant on any particular database.
> (The original request was to add database support for
> aname-to-lname. I'm not sure it would be necessary to separately
> make aname-to-lname pluggable if we had pluggable kuserok.)
>
> * Add an option to specify where k5login files are found. This is
> independent of the framework since it can be modeled as a
> configuration option for the k5login module.
>
> * Since the plugin framework allows built-in modules to be disabled,
> an admin could disable .k5login files by disabling the k5login
> module.
>
> Comments are appreciated.
A module framework built this way looks really appealing, thanks!
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the krbdev
mailing list