Extensible kadm5 policies

Nico Williams nico at cryptonector.com
Sun Oct 30 19:27:52 EDT 2011

On Sun, Oct 30, 2011 at 5:59 PM, Simo Sorce <simo at redhat.com> wrote:
> Your design seem a huge hack built only with regard to the default
> database backend and its limitations.

Not so.  I will grant that the design was inspired by Heimdal's
current approach to policies.

> It would make it difficult to built decent translation for the LDAP
> backend and in general add a mapping burden on any custom backend.

I don't agree.

> This kind of hack seems ok for a custom project but I think that if you
> want to push for additional policies upstream you really need to propose
> a long term fix that is not an ugly hack imho.

Well, I have done just that.  The design has been accepted by Love for
Heimdal, for example, though since I've not yet finished that work
there's still time to make changes.  And we had a discussion on
#krbdev about this the other day.  The whole point of this thread is
to come up with something that suits us and upstream.

> I see no problem in changing APIs or adding RPCs if there is a clear
> benefit to all KDC users.

Would you please address the need that we stated then?


More information about the krbdev mailing list