Password sync plugin, and questions about plugin criticality
Nicolas Williams
Nicolas.Williams at sun.com
Tue Jun 27 14:12:57 EDT 2006
On Mon, Jun 26, 2006 at 09:15:08AM -0400, Ken Hornstein wrote:
> >On Mon, Jun 26, 2006 at 01:33:38AM -0400, Ken Hornstein wrote:
> >> void pwupdate_init(void **context, krb5_context);
Also, void * sucks.
Use pointers to incomplete structs instead, as Will suggests.
> >No krb5_context should be needed. One argument should suffice.
> >
> >Presumably it's up to the plug-in to be thread-safe.
>
> But if I want to call krb5_* functions (which is supposed to work in
> the MIT plug-in architecture), how would I do that without a krb5_context?
Call krb5_init_context() :) (you can stash that context in the
plug-in's handle...)
> >> int pwupdate_precommit_password(void *context, char *password, int pwlen,
> >> char *error_msg, int error_msg_len);
> >>
> >> Update the password in the external store; called before password
> >> is stored locally. In case of failure, return non-zero code and
> >> set error_msg to an error string.
> >
> >This mixes password quality checking and password updates.
>
> I don't see how. (One thing you may have missed; I had already worked
> out a password quality checking plugin seperately).
Oh, I misinterpreted the purpuse of the error_msg_* parameters.
> >Also, if you separate password quality checking from password
> >synchronization you can collapse these two functions into one.
>
> I don't think I can; some people absolutely want external password sync
> to happen before the password gets written locally; other people
> want the exact opposite.
Why? Do they expect atomicity?
More information about the krbdev
mailing list