Extensible kadm5 policies

Simo Sorce simo at redhat.com
Sun Oct 30 18:59:57 EDT 2011

On Sun, 2011-10-30 at 17:06 -0500, Nico Williams wrote:
> I'll admit that my design is tempting in large part due to ease
> coding, since it re-uses existing building blocks.  Most of the time
> we think of re-use as a very good thing, but I'll grant that it
> needn't always be so, and that this might be one case where it isn't.

Your design seem a huge hack built only with regard to the default
database backend and its limitations.

It would make it difficult to built decent translation for the LDAP
backend and in general add a mapping burden on any custom backend.

This kind of hack seems ok for a custom project but I think that if you
want to push for additional policies upstream you really need to propose
a long term fix that is not an ugly hack imho.

I see no problem in changing APIs or adding RPCs if there is a clear
benefit to all KDC users.


Simo Sorce * Red Hat, Inc * New York

More information about the krbdev mailing list