Extensible kadm5 policies

Dmitri Pal dpal at redhat.com
Sun Oct 30 21:13:58 EDT 2011

On 10/30/2011 07:27 PM, Nico Williams wrote:
> On Sun, Oct 30, 2011 at 5:59 PM, Simo Sorce <simo at redhat.com> wrote:
>> Your design seem a huge hack built only with regard to the default
>> database backend and its limitations.
> Not so.  I will grant that the design was inspired by Heimdal's
> current approach to policies.
>> It would make it difficult to built decent translation for the LDAP
>> backend and in general add a mapping burden on any custom backend.
> I don't agree.
>> This kind of hack seems ok for a custom project but I think that if you
>> want to push for additional policies upstream you really need to propose
>> a long term fix that is not an ugly hack imho.
> Well, I have done just that.  The design has been accepted by Love for
> Heimdal, for example, though since I've not yet finished that work
> there's still time to make changes.  And we had a discussion on
> #krbdev about this the other day.  The whole point of this thread is
> to come up with something that suits us and upstream.
>> I see no problem in changing APIs or adding RPCs if there is a clear
>> benefit to all KDC users.
> Would you please address the need that we stated then?
> Nico
> --
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
Can we please avoid hacks and make something generic and abstract? It
seems that it would make sense to have a policy call that would have
principal and other data about the authentication request as input and
then return a collection of policies that are related to the
authentication and can be passed on to the preauth plugins and can be
used by the external authentication methods. 

Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

More information about the krbdev mailing list