concerns with ldap plugin and 1.5

[Praveenkumar Sahukar]

>>> On Thu, Jun 1, 2006 at  6:23 AM, in message
<20060601005356.GA27225 at sun.com>,
Will Fiveash <William.Fiveash at sun.com> wrote: 
> I have a number of concerns regarding the ldap plugin and schema in
the
> upcoming MIT 1.5 release:
> 
> -  There are a number of dereferences of vftabl function pointers in
>   src/lib/kdb/kdb5.c that should check for NULL first.  This causes
a
>   core dump if kdb5_util create is run and the ldap plugin is in
use.

This comment will be incorporated.

> 
> -  As Nico points out in another e- mail, several principal
attributes
>   (last_success, last_failed, failed_auth_count) found in the
>   krb5_db_entry struct are not found in the current schema.  Is there
a
>   reason they are missing?

This will be incorporated in the future.

> 
> -  How is an existing db2 KDB migrated to a LDAP/Directory based
KDB?

We are designing a migration tool for migrating the MIT db2 KDB to LDAP
database.

> 
> -  Is there no concern about interface consistency between use of
>   kdb5_util and krb5_ldap_util?  The current situation where one
must
>   use kdb5_ldap_util to create/initialize a directory based KDB
seems
>   awkward to me.

We did consider to use kdb5_util interface for the LDAP backend. But
the existing commands were not sufficient for the LDAP backend and a lot
of additional LDAP backend specific options were needed even for the
basic commands currently available in kdb5_util (like create). With
these difference it was obvious for the kdb5_util interface to change.
So we decided to go with a separate utility. 

> 
> -  Nit: in kdb5_ldap_set_service_password() pwd.data should be
memset(0)
>   when it isn't in use.  Also, I see:
> 
>     /* set password in the file */
>     pfile = fopen(file_name, "a+");
> 
>   Shouldn't the file being fopen()ed be tested to make sure the
>   permissions and type are okay before modifying?  Doesn't seem safe
to
>   me.

This comment will be incorporated.

Thanks,
Praveen Kumar