(Final?) krb5.Conf Lexer/Parser Proposal
Theodore Ts'o
tytso at MIT.EDU
Fri Jan 6 15:15:18 EST 2006
On Fri, Jan 06, 2006 at 11:59:09AM -0800, Danilo Almeida wrote:
> It sounds like I did not understand what a "single-value tag" meant in what
> Alexis wrote:
>
> > The final signifier isn't even necessary to override
> > a single-value tag. You can just put it in your user
> > config file.
>
> So you cannot replace the "ATHENA.MIT.EDU" setting in the "realms" section
> because that is not a "single-value tag"?
>
> In Windows, the way that settings normally (should) work is like this: If a
> setting is present in the user registry, use that. Otherwise, try looking
> for the setting in the system registry. If it's not there either, use a
> built-in default. From what Ted was saying, it sounds like the profile
> library cannot emulate that w/o the final signifier. Is that correct?
An example might be the best way to clarify things.
Suppose the global config file has the following:
[libdefaults]
default_realm = ATHENA.MIT.EDU
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
kdc = kerberos-3.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
Now suppose the user config file has the following:
[libdefaults]
default_realm = THUNK.ORG
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos-2.mit.edu:88
kdc = kerberos.mit.edu:88
admin_server = kerberos-2.mit.edu
}
>From the point of view profile library, based on how it searches the
parsed config file trees, would be equivalent a single config file
with the following:
[libdefaults]
default_realm = THUNK.ORG
default_realm = ATHENA.MIT.EDU
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos-2.mit.edu:88
kdc = kerberos.mit.edu:88
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
kdc = kerberos-3.mit.edu:88
admin_server = kerberos-2.mit.edu
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
If there was a finalizer on the ATHENA.MIT.EDU stanza:
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos-2.mit.edu:88
kdc = kerberos.mit.edu:88
admin_server = kerberos-2.mit.edu
}*
... then it would be equivalent to the following single config file:
[libdefaults]
default_realm = THUNK.ORG
default_realm = ATHENA.MIT.EDU
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos-2.mit.edu:88
kdc = kerberos.mit.edu:88
admin_server = kerberos-2.mit.edu
}
When Alexis wrote that the finalizer doesn't matter for single-value
tags, what she meant by that is if the application uses the
profile_get_integer, profile_get_string, et. al. convenience
functions, only the value from the first relation is returned. So
even though there are two default_realm relations specified, only the
first one will be looked at by the krb5 library.
Now, it's a bit misleading to talk about "single-value tag" since
there is nothing special which sets them off as "single value tags" in
the config file, and indeed the profile library doesn't even recognize
"single-value tags" a concept. Also, it is at least theoretically
possible for a program to query a relation via an interface which
returns the first matching tag, as well as the more general interface
which returns all possible matching relations.
Does this help?
- Ted
More information about the krbdev
mailing list