[Kdc-info] policy-as-code

[Ken Raeburn]

Leif Johansson <leifj at it.su.se> writes:
> Well, it's authentication authorization but yes ... Note that in the
> case where the service is krbtgt (I only want my windows afs clients
> to get krb4 tgt's) the authorization policy still belongs in the
> kdc.

You're not conditionalizing the issuance of krb5 tickets, so I won't
complain about it.  :-)  If we still considered krb4 good for general
authentication, I might disagree with you.

> No This sounds more like you want to provide hooks to describe the
> *existence* of policy (stored elsewhere) in the directory.

Yes.  Provide a handle, not a means of specification, for complex
policies.  Simple ones we can still define fully.

>  CPIM tries to model every type
> of policy as objects/attributes. The number of x-references this
> requires is what leads to a big mess.

Ouch.  Yeah, that'd be a problem.  I'd guess it becomes more like a
low-level language you don't want to use directly, but instead want to
generate using a "compiler" from a more appropriate higher-level
language.

Which can have its place, if that's what you want.
At the moment, I don't think it's what we want.

Ken