concerns with ldap plugin and 1.5

Will Fiveash William.Fiveash at
Wed May 31 20:53:57 EDT 2006

I have a number of concerns regarding the ldap plugin and schema in the
upcoming MIT 1.5 release:

- There are a number of dereferences of vftabl function pointers in
  src/lib/kdb/kdb5.c that should check for NULL first.  This causes a
  core dump if kdb5_util create is run and the ldap plugin is in use.

- As Nico points out in another e-mail, several principal attributes
  (last_success, last_failed, failed_auth_count) found in the
  krb5_db_entry struct are not found in the current schema.  Is there a
  reason they are missing?

- How is an existing db2 KDB migrated to a LDAP/Directory based KDB?

- Is there no concern about interface consistency between use of
  kdb5_util and krb5_ldap_util?  The current situation where one must
  use kdb5_ldap_util to create/initialize a directory based KDB seems
  awkward to me.

- Nit: in kdb5_ldap_set_service_password() should be memset(0)
  when it isn't in use.  Also, I see:

    /* set password in the file */
    pfile = fopen(file_name, "a+");

  Shouldn't the file being fopen()ed be tested to make sure the
  permissions and type are okay before modifying?  Doesn't seem safe to

Is MIT going to address these before releasing 1.5?  And when is 1.5
scheduled for release?

Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the krbdev mailing list