Draft specification for kadmind plugin API

John Hascall john at iastate.edu
Fri Apr 20 23:13:36 EDT 2007 

> John Hascall <john at iastate.edu> writes:
> > For this to be useful to us it would need to have hooks for other
> > operations, notably principal creation, deletion, and renaming.

> This isn't my particular itch, so I'd rather not take the burden of doing
> the work of specifying the interfaces.  However, if you can come up with
> the interface specification, I can add it to my proposal.

   For our needs, the same calling sequence for passowrd-check 
   would work for creation:

krb5_error_code (*created)(void *, const char *password,
                                   const char *principal,
                                   char *errstr, int errstrlen);

   but I can understand how others might need more info about
   the principal (policy? flags?)  And along the same lines:

krb5_error_code (*deleted)(void *, const char *principal,
                                   char *errstr, int errstrlen);

krb5_error_code (*renamed)(void *, const char *old_principal,
                                   const char *new_principal,
                                   char *errstr, int errstrlen);

   I do think that check/created might be better with the password
   and principal arguments swapping places though.

> Is principal renaming a supported operation in the kadmin protocol?  I
> don't see it mentioned in the kadmin man page, but that may not be
> definitive, I know.

    I seem to recall rename being something which has come
    and gone a couple of times.  I don't actually know it's
    status in the current release.

> I may or may not be able to implement the libkadm5srv changes depending on
> how difficult they are, but it should be possible for someone else to add
> that.
> 
> Note that a hook for account creation is not generally useful for
> propagation into Active Directory unless it can draw from an external data
> source, since an MIT Kerberos KDC doesn't track all the information that
> Active Directory tracks about a user.

     True.  It is enough for us for KDC-to-KDC propagation and
     for propagation to Novell eDir, but for Windows-AD the
     receiving end does an LDAP query to fill in the other attributes.


John

More information about the krbdev mailing list