[39075] in Kerberos
Re: Creating a principal using the kadmin C API
daemon@ATHENA.MIT.EDU (=?utf-8?q?Teo_Klestrup_R=C3=B6ijez)
Mon Apr 11 11:13:34 2022
To: Greg Hudson <ghudson@mit.edu>
Cc: kerberos@mit.edu
Date: Mon, 11 Apr 2022 17:09:44 +0200
Message-ID: <2957453.irdbgypaU6@teo-dator-newarch>
In-Reply-To: <733bbe58-7c13-8abc-f0e6-3cbe979540ed@mit.edu>
MIME-Version: 1.0
From: =?utf-8?q?Teo_Klestrup_R=C3=B6ijezon_via_Kerberos?= <kerberos@mit.edu>
Reply-To: Teo Klestrup =?ISO-8859-1?Q?R=F6ijezon?= <teo.roijezon@stackable.de>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hey, I'm a coworker of Lars' and working on this project.
On Friday, 8 April 2022 06.35.29 CEST Greg Hudson wrote:
> krb5_init_context_profile() lets you supply a profile object. If this
> is created with profile_init_path(), the application should be able to
> strictly control which file is used.
>
> It is possible to create an in-memory profile with
> profile_init_vtable(). Perhaps it would be nicer if one could create an
> empty in-memory profile object and populate it with
> profile_add_relation(), but that is not currently implemented.
profile_init_vtable() (or building it with profile_add_relation()) would be
ideal, yes. Our current prototype uses krb5_init_context_profile() for the sake
of simplicity (vtables are annoying to build up and maintain across the Rust-C
border, so I didn't want to go there until we could confirm that the rest
works).
However, the kadm5_init_*() family of functions (via init_any()) calls
kadm5_get_config_params(), which in turn always loads its own profile by calling
krb5_aprof_init() with a hard-coded choice of either DEFAULT_PROFILE_PATH or
DEFAULT_KDC_PROFILE. This _is_ possible to override with environment
variables, but that's a pretty big ask when linking to the library in-process.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
