ANAME_DB re-enable with patch.
Nicolas Williams
Nicolas.Williams at oracle.com
Thu Sep 2 19:51:57 EDT 2010
On Fri, Sep 03, 2010 at 12:26:23AM +0100, Roland C. Dowdeswell wrote:
> LDAP, we should be a little careful about. Given that currently,
> krb5_kuserok() does not cause any network dependent services that
> can return transient failures and cannot block [for long] if you
> are running on a local file system, this could change the expectations
> of callers about how krb5_kuserok() actually works. This is not
> to say that it shouldn't be done---but there are gotchas in taking
> a function call that returns explicit and correct results and adding
> in a network backend such as LDAP without also changing the API to
> allow for transient failures to occur in a way that calling
> applications can understand and cope with.
Apps that call krb5_kuserok() typically call lots of functions that
block on network I/O. E.g., getpwnam(), PAM (when the PAM config
involves modules like pam_ldap), ...
There's always the risk of one more blocking call being one to break the
proverbial camel's back, but I'm not too concerned about that. Keep in
mind that I'm all for async APIs.
Nico
--
More information about the krbdev
mailing list