concerns with ldap plugin and 1.5
William.Fiveash at sun.com
Wed May 31 20:53:57 EDT 2006
I have a number of concerns regarding the ldap plugin and schema in the
upcoming MIT 1.5 release:
- There are a number of dereferences of vftabl function pointers in
src/lib/kdb/kdb5.c that should check for NULL first. This causes a
core dump if kdb5_util create is run and the ldap plugin is in use.
- As Nico points out in another e-mail, several principal attributes
(last_success, last_failed, failed_auth_count) found in the
krb5_db_entry struct are not found in the current schema. Is there a
reason they are missing?
- How is an existing db2 KDB migrated to a LDAP/Directory based KDB?
- Is there no concern about interface consistency between use of
kdb5_util and krb5_ldap_util? The current situation where one must
use kdb5_ldap_util to create/initialize a directory based KDB seems
awkward to me.
- Nit: in kdb5_ldap_set_service_password() pwd.data should be memset(0)
when it isn't in use. Also, I see:
/* set password in the file */
pfile = fopen(file_name, "a+");
Shouldn't the file being fopen()ed be tested to make sure the
permissions and type are okay before modifying? Doesn't seem safe to
Is MIT going to address these before releasing 1.5? And when is 1.5
scheduled for release?
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the krbdev