[16413] in Kerberos_V5_Development
Re: New k5login option proposal for krb5_kuserok
daemon@ATHENA.MIT.EDU (Simo Sorce)
Thu Sep 30 09:19:23 2010
Date: Thu, 30 Sep 2010 09:19:13 -0400
From: Simo Sorce <ssorce@redhat.com>
To: krbdev@mit.edu
Message-ID: <20100930091913.6b6504a6@willson.li.ssimo.org>
In-Reply-To: <201009292321.o8TNLZGW025471@outgoing.mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Wed, 29 Sep 2010 19:21:35 -0400 (EDT)
ghudson@MIT.EDU wrote:
> If we go in the direction of that framework, I see the following new
> features to handle krb5_kuserok-related requests:
>
> * Make the interface pluggable, so that a database plugin can be
> added without making krb5 reliant on any particular database.
> (The original request was to add database support for
> aname-to-lname. I'm not sure it would be necessary to separately
> make aname-to-lname pluggable if we had pluggable kuserok.)
>
> * Add an option to specify where k5login files are found. This is
> independent of the framework since it can be modeled as a
> configuration option for the k5login module.
>
> * Since the plugin framework allows built-in modules to be disabled,
> an admin could disable .k5login files by disabling the k5login
> module.
>
> Comments are appreciated.
A module framework built this way looks really appealing, thanks!
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
