[17334] in Kerberos_V5_Development
Re: Extensible kadm5 policies
daemon@ATHENA.MIT.EDU (Simo Sorce)
Sun Oct 30 19:00:05 2011
From: Simo Sorce <simo@redhat.com>
To: Nico Williams <nico@cryptonector.com>
In-Reply-To: <CAK3OfOjAi93e5MgHU6+GAmOe1jZPODZ+ZzEeJ9GKUkYyHzTbSA@mail.gmail.com>
Date: Sun, 30 Oct 2011 18:59:57 -0400
Message-ID: <1320015597.7734.115.camel@willson.li.ssimo.org>
Mime-Version: 1.0
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Sun, 2011-10-30 at 17:06 -0500, Nico Williams wrote:
> I'll admit that my design is tempting in large part due to ease
> coding, since it re-uses existing building blocks. Most of the time
> we think of re-use as a very good thing, but I'll grant that it
> needn't always be so, and that this might be one case where it isn't.
Your design seem a huge hack built only with regard to the default
database backend and its limitations.
It would make it difficult to built decent translation for the LDAP
backend and in general add a mapping burden on any custom backend.
This kind of hack seems ok for a custom project but I think that if you
want to push for additional policies upstream you really need to propose
a long term fix that is not an ugly hack imho.
I see no problem in changing APIs or adding RPCs if there is a clear
benefit to all KDC users.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
