krb5 context initialization dilema

Nico Williams nico at cryptonector.com
Wed Feb 22 17:37:41 EST 2012


[Re-send to list, with some edits.]

I can see the value of returning an error immediately, but I think
this is problematic as it might cause programs to start failing where
they were succeeding.  Perhaps a ./configure option could determine
whether to do this.

I would like to see a function that checks configuration.  This should
take a krb5_context and optional config file argument, and it should
check either the latter or the configuration in the given krb5_context
if not filename is given.  This function should have an output
parameter that allows for detailed error/warning messages to be shown
to the user.  This would even work for alternative configuration
stores.  What's nice about this is that one could use this for
checking the correctness of new configurations before installing them.

Alternatively you could add a new krb5_init_context() variant that
allows the application to specify whether configuration errors are
fatal or not.

Zhanna pointed me at the krb5.conf validator written in Python.  I
then mentioned the need for a schema for these things, how SMF has a
templating facility along those lines, and that MIT should consider
using JSON and JSON Schema for this.

Nico
--


More information about the Kerberos mailing list