Suggestion of change to certauth plugin interface
ghudson at mit.edu
Fri Dec 9 00:45:06 EST 2022
On 12/7/22 15:42, Ken Hornstein via krbdev wrote:
> I just now realized that there's not a wonderful way of getting the
> list of realms the KDC is configured to use AND it would be incredibly
> useful if the certauth plugin knew the list of configured KDC realms.
> Is it possible that the realmlist could be passed to the certauth plugin
> initialzer function? I realize that would probably require a major bump
> to the certauth plugin API.
This wouldn't necessarily require a major API bump, but can you
elaborate on what a certauth module would be interested in the
configured realm list, and can't build it up as queries come in?
There's a potential mode of KDC operation where multiple realms live in
the same database, and realms can be added and removed while the KDC is
running. This mode isn't currently supported (the kadmin/kdb5_util
tooling doesn't exist, and the KDC code only 99% supports it), but I'd
like to think carefully about adding plugin interfaces which conflict
with that option.
Does NRL use the current multiple realm KDC support? I have been
assuming that it's very rare to do so, because there isn't equivalent
support in kadmind.
More information about the krbdev