Password quality pluggable interface scope
Greg Hudson
ghudson at MIT.EDU
Fri Aug 27 12:29:16 EDT 2010
On Fri, 2010-08-27 at 12:06 -0400, Marcus Watts wrote:
> I reworked the containing logic to apply even if there
> was no policy, and passed the policy *name* (or a null ptr if no policy)
> into the plugin in case the pw quality plugin wanted to do something
> different depending on the policy.
That's a decent compromise between keeping things simple and providing
some amount of policy configurability.
> I put a fair bit of effort into one other thing you don't list above:
> configuring the plugins, and providing 'system' parameters for the plugins.
[...]
> /2/ loading the same plugin more than once with different configuration.
> ... so I wasn't very interested in "zero configuration" rules.
Plugin modules can read profile associations; consider PKINIT
configuration variables, for example, or LDAP back-end configuration.
Is there a reason you prefer configuration of plugins to be modeled as
system parameters? What are the use cases for loading the same plugin
more than once with different configuration?
> As I said before, I think the built-in parameters for policy records
> is unduly restrictive. I'd like to see a much more extensible format here.
I would too, but I'm afraid this aspect will probably have to wait for a
more comprehensive KDB-related project. We've had other requests for
KDC-related plugins to be able to store extensible data within the KDB,
so that may be a 1.10 project.
More information about the krbdev
mailing list