[1129] in Kerberos_V5_Development
Re: OV admin system integration plan
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Tue May 7 12:00:29 1996
Date: Tue, 7 May 1996 12:00:16 -0400
From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: tytso@MIT.EDU
Cc: raeburn@cygnus.com, krbdev@MIT.EDU
In-Reply-To: <9605070419.AA06753@dcl.MIT.EDU> (tytso@MIT.EDU)
>Compatibility with Beta-5 and Beta-6
First of all,
there is the issue of smooth upgrades from Beta-5 and Beta-6. It should
be a requirement that we be able to read *and* write old-format ASCII
kdb dumps.
Well, I guess I'm outnumbered, so I'll cave.
The kadmin server for Beta 5 and Beta 6 supports the Krb5 simple
password changing protocol, and that *should* continue to work after we
cut over to the OV kadmin server.
Right. We'll just have to modify the server to use the kadm5 api,
which will provide all the necessary database locking and enforce
password policies, etc. I'll add this to the plan.
I would very much like to see the ability to use *either* db or
dbm...
This is the attitude which has driven krb5 development for a long
time, and I strongly disagree with it. We should not attempt to
generalize a solution for every decision we come across, leaving the
final decision to the sysadmin that will build and install krb5.
Normal people do not care which database we use, they just want a
system which compiles easily and works. Giving them an option just
confuses their lives and makes krb5 even larger and more bloated.
Furthermore, every time you add a new option like this you increase
the likelihood of bugs and the difficulty of maintainance; are you
REALLY going to test the KDC and admin system thoroughly when compiled
with both databases? No, of course not; we'll be lucky if we get
around to testing it thoroughly with just one.
We need to choose either to use DB or DBM. We can mix the interfaces,
make libkdb use DB, or convert the OV code to use DBM. Avoiding the
decision by "supporting both" is the worst choice of all.
Barry
