MIT KDC & multiple admins for subsets of principals

Russ Allbery rra at
Tue Mar 7 00:12:47 EST 2006

"Matthew J Smith" <matt.smith at> writes:
> <snip source="greg at">
>> I wrote a plug-in architecture for the MIT krb5kdc/kadmind system
>> which allow them to be functionally extended with shared library
>> plug-ins.  The kadmind plug-in currently implements storage of raw
>> passwords, ala AD, within the database.  It wouldn't be a stretch to
>> implement a hook within this framework to poll LDAP for a list of the
>> identities which a principal with administrative rights could execute
>> changes against.
> </snip>

> Is there any chance that the main MIT codebase would ever include such a
> plugin architecture, to facilitate extended functionality such as my
> complex ACL use case?

Count Stanford University as another group interested in such a thing.  We
have our own policy and authorization layer sitting in front of kadmin
right now, but it would be really nice to replace that with hooks inside
kadmind so that users could follow standard web documentation for
downloading keytabs without having to use Stanford-specific programs.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list