Fwd: pkinit SAN and EKU checking

Kevin Coffman kwc at citi.umich.edu
Mon May 14 22:47:14 EDT 2007

On 5/14/07, Sam Hartman <hartmans at mit.edu> wrote:
> >>>>> "Kevin" == Kevin Coffman <kwc at citi.umich.edu> writes:
>     >> Long term, it seems like you either try the external plugins
>     >> first, or you fall back to the external plugins.
>     Kevin> Yes, and I was opting for the former.
> But why do I need to configure it?
> If I have external plugins and they approve the whatever, then its approved.
> Or is the intent of your config option to say that only external
> plugins are permitted and if they fail then rather than trying the
> default we fail the authentication?

That was the intent.  But if the preference is to always try plugins
and only if no decision is made from them, to fall back on default
processing, that is fine with me.  I think that is basically how the
lookup plugin code is structured, correct?

More information about the krbdev mailing list