Password sync plugin, and questions about plugin criticality

[Sam Hartman]

>>>>> "Luke" == Luke Howard <lukeh at padl.com> writes:

    >> Example of what I propose: PAM, where plug-ins simply export
    >> function symbols named pam_sm_{authenticate, acct_mgmt,
    >> setcred, open_session, close_session}.

    Luke> We might want to consider what we can learn from PAM and
    Luke> SLAPI regarding plugin stacking. PAM leaves this to the
    Luke> administrator, in SLAPI all that is configurable is the
    Luke> order of plugins (see previous mail).

    Luke> Personally, I'm all for deployment flexibility, but OTOH
    Luke> configuring PAM has created a lot of grief over the years,
    Luke> particularly the interaction with plugins that are invoked
    Luke> twice for a particular operation.

    Luke> So, without digressing too much from solving the password
    Luke> plugin problem, we should think about this carefully. :-)

Our goal is that in the normal case you need only drop a plugin into a
directory in order to enable it.  You should not have to configure any
more than that.  We will probably support a mechanism long-term for
overriding order.

We also support the concept of plugins retrieving plugin-specific
configuration from krb5.conf.  Except when absolutely required we do
not want to force plugin-specific configuration.

--Sam