concerns with ldap plugin and 1.5
Sam Hartman
hartmans at MIT.EDU
Thu Jun 1 07:06:01 EDT 2006
>>>>> "Will" == Will Fiveash <William.Fiveash at sun.com> writes:
Will> I have a number of concerns regarding the ldap plugin and
Will> schema in the upcoming MIT 1.5 release:
Will> - There are a number of dereferences of vftabl function
Will> pointers in src/lib/kdb/kdb5.c that should check for NULL
Will> first. This causes a core dump if kdb5_util create is run
Will> and the ldap plugin is in use.
This does need to be fixed. I don't consider it a release blocker as
it is not a security problem but it would be embarrassing to release
this way.
Will> - As Nico points out in another e-mail, several principal
Will> attributes (last_success, last_failed, failed_auth_count)
Will> found in the krb5_db_entry struct are not found in the
Will> current schema. Is there a reason they are missing?
I don't consider this a release blocker; I do consider it a bug.
Will> - How is an existing db2 KDB migrated to a LDAP/Directory
Will> based KDB?
We do not currently have a solution for this.
Will> - Is there no concern about interface consistency between
Will> use of kdb5_util and krb5_ldap_util? The current situation
Will> where one must use kdb5_ldap_util to create/initialize a
Will> directory based KDB seems awkward to me.
We made a decision that this interface inconsistency was acceptable.
Will> - Nit: in kdb5_ldap_set_service_password() pwd.data should
Will> be memset(0) when it isn't in use. Also, I see:
More information about the krbdev
mailing list