Fwd: pkinit SAN and EKU checking
Sam Hartman
hartmans at MIT.EDU
Tue May 15 10:14:06 EDT 2007
>>>>> "Kevin" == Kevin Coffman <kwc at citi.umich.edu> writes:
Kevin> On 5/14/07, Sam Hartman <hartmans at mit.edu> wrote:
>> >>>>> "Kevin" == Kevin Coffman <kwc at citi.umich.edu> writes:
>>
>> >> Long term, it seems like you either try the external plugins
>> >> first, or you fall back to the external plugins.
>>
Kevin> Yes, and I was opting for the former.
>>
>>
>> But why do I need to configure it? If I have external plugins
>> and they approve the whatever, then its approved.
>>
>> Or is the intent of your config option to say that only
>> external plugins are permitted and if they fail then rather
>> than trying the default we fail the authentication?
Kevin> That was the intent. But if the preference is to always
Kevin> try plugins and only if no decision is made from them, to
Kevin> fall back on default processing, that is fine with me. I
Kevin> think that is basically how the lookup plugin code is
Kevin> structured, correct?
I think an option that disables default processing if the plugins fail
is fine. I think an option that you are required to set in order to
use the plugins is a bad idea because it introduces unnecessary
configuration.
--Sam
More information about the krbdev
mailing list