MIT KDC & multiple admins for subsets of principals

Matthew J. Smith matt.smith at
Mon Mar 6 09:20:55 EST 2006

Thank you very much for the thorough response, and the kind offer of
code.  I am very intrigued by the kadmin plugin architecture that you
have described, and wish I had the time to devote to such a project.
Unfortunately for now, I will probably couple the password admin ACL
layer directly into our homegrown web-based admin toolset.

<snip source="greg at">
> I wrote a plug-in architecture for the MIT krb5kdc/kadmind system
> which allow them to be functionally extended with shared library
> plug-ins.  The kadmind plug-in currently implements storage of raw
> passwords, ala AD, within the database.  It wouldn't be a stretch to
> implement a hook within this framework to poll LDAP for a list of the
> identities which a principal with administrative rights could execute
> changes against.

Is there any chance that the main MIT codebase would ever include such a
plugin architecture, to facilitate extended functionality such as my
complex ACL use case?

Thank you again,

More information about the Kerberos mailing list