Extensible kadm5 policies

[Russ Allbery]

Dmitri Pal <dpal at redhat.com> writes:

> As long as you have transparency and manageability via tools that you
> can use but can also get under the hood as they are not sealing
> everything but rather provide convenience you get the best of both
> worlds. That IMO might be more attractive to the organizations you are
> talking about above in a long run. We do not have enough statistics to
> prove the argument. Let us see how things would unveil.

This I agree with.  At this point we're all speculating about what
directions the deployers of Kerberos will want to go.

The conversation is also rather muddled by the fact that the current
database backends are not particularly great at being solid database
backends.  They've been used extensively for years and are therefore quite
stable, but that's nearly the only positive, and there are a lot of
negatives.  I can certainly agree with a litany of complaints about db2!
But I think many of them are problems with that particular form of a
database backend, not with the idea of not using LDAP.

> My bet is that LDAP based KDC deployments would start to get more and
> more ground in the complex environments that you refer to. I am not
> suggesting designing just for LDAP back end but we should treat LDAP and
> DB back ends as main stream back ends in our policy related design
> decisions and not focus on the DB approach only as it would become less
> and less popular over the time.

I think we can find substantial common ground in the last sentence.  While
at this point I'm dubious that I would ever want to use an LDAP backend, I
have no problem with treating it as a first-class citizen, and I know that
many people do indeed want to use it.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>