[krbdev.mit.edu #8172] kadm5_hook needs a way to prevent looping

Mon May 4 15:34:54 EDT 2015

kadm5_hook can be used for synchronization from an MIT krb5 realm to 
another realm.  If the synchronization is bidirectional, we need a 
way to detect whether the kadm5 operation came from an incoming 
synchronization operation or whether the operation is original to 
this realm.  Currently there is no good way to know.  John Hascall 
suggested that knowing the invoking principal would be sufficient.

There are a few options:

1. Add a new optional version of each method, to be used in 
preference to the old method.  Lots of churn.

2. Rev the major version of the pluggable interface.  Also lots of 
churn.

3. Only rev the chpass method, on the theory that bidirectional 
synchronization is usually only done for password changes.

4. Add an optional method to receive the invoker, which we call 
before the pre-commit stage of each operation.  The module can 
remember this in the kadm5_hook_modinfo object.  Not terribly elegant 
because it uses a long-lived state object to hold a short-lived 
value, but functional.