krb5-sync 0.3 released

Russ Allbery rra at stanford.edu
Sun Jan 28 19:20:36 EST 2007


g w <g.w at hurderos.org> writes:

> If anyone else is interested in working on extended Kerberos
> functionality I just pushed a release candidate for our next release
> onto the FTP server.  The following URL should fetch it:

>         ftp://ftp.hurderos.org/pub/Hurderos/src/Hurderos-0.1.5-rc1.tar.gz

> The source release has a plugin architecture for MIT/KRB5 we have been
> developing against for the last two years.  In this release we split the
> plugin support into separate KDC, KADMIN and CLIENT components.

Is this plugin support at all similar to the plugin support that's been
added with MIT Kerberos 1.6?  I know that your plugins dive a bit deeper
into the guts of Kerberos, but I wasn't sure if they were (or will become)
an extension of the work in 1.6 or if they're coming from a much different
angle.

> You may want to look at the test KADMIN plugin.  About 7 months ago
> someone sent a note to the list about wanting to do ACL's for kadmind
> with LDAP.  You had mentioned that Stanford may be interested in
> infra-structure which used something beside the standard textfile ACL's.

We're going to go a different direction with this, I think, and instead
wrap the main place where we need ACLs (keytab creation) with a separate
utility with its own databases.  We need something even more complex than
LDAP ACLs, with multiple different sources of ACL information.

The plugins that we still need at Stanford are for password strength
checking and for status and password propagation.  My current hope is to
develop the hooks for such plugins using the framework added in 1.6,
hopefully targeting inclusion in 1.7.  Then I can just distribute the
loadable modules and supporting utilities and won't have to patch
Kerberos.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list