How to extend kadmin

Greg Hudson ghudson at MIT.EDU
Thu Oct 29 16:41:35 EDT 2009

On Thu, 2009-10-29 at 13:40 -0400, Sam Hartman wrote:
> Count me in the set of people who want to be able to use rpcgen.  This
> is under the assumption that we can find some way of generating
> encoders for krb5_principal.  Ken's solution seems fine to me.  Nico's
> solution--asking the application to deal--does not.

I've done a little more thinking about this today.

1. According to our current promises, we can change the C API of
libkadm5 in any way we want (without necessarily bumping api_version or
providing compatibility, though we do of course need to bump the
soname).  That means we can tamper with the principal_ent and policy_ent
structures as long as we don't change their network encodings.

2. If we add an api_version field to the principal_ent and policy_ent
structures, and custom encoding functions for those structures, then we
can make those structure encodings dependent on the api_version while
still using stock rpcgen for everything else.

So, Luke's approach to lockout support isn't necessarily incompatible
with using rpcgen--just with auto-generating xdr_kadm5_policy_ent_rec.

More information about the krbdev mailing list