Extensible kadm5 policies
Dmitri Pal
dpal at redhat.com
Sun Oct 30 21:13:58 EDT 2011
On 10/30/2011 07:27 PM, Nico Williams wrote:
> On Sun, Oct 30, 2011 at 5:59 PM, Simo Sorce <simo at redhat.com> wrote:
>> Your design seem a huge hack built only with regard to the default
>> database backend and its limitations.
> Not so. I will grant that the design was inspired by Heimdal's
> current approach to policies.
>
>> It would make it difficult to built decent translation for the LDAP
>> backend and in general add a mapping burden on any custom backend.
> I don't agree.
>
>> This kind of hack seems ok for a custom project but I think that if you
>> want to push for additional policies upstream you really need to propose
>> a long term fix that is not an ugly hack imho.
> Well, I have done just that. The design has been accepted by Love for
> Heimdal, for example, though since I've not yet finished that work
> there's still time to make changes. And we had a discussion on
> #krbdev about this the other day. The whole point of this thread is
> to come up with something that suits us and upstream.
>
>> I see no problem in changing APIs or adding RPCs if there is a clear
>> benefit to all KDC users.
> Would you please address the need that we stated then?
>
> Nico
> --
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
Can we please avoid hacks and make something generic and abstract? It
seems that it would make sense to have a policy call that would have
principal and other data about the authentication request as input and
then return a collection of policies that are related to the
authentication and can be passed on to the preauth plugins and can be
used by the external authentication methods.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the krbdev
mailing list