[20399] in Kerberos_V5_Development
Re: Suggestion of change to certauth plugin interface
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Dec 9 00:46:07 2022
Message-ID: <8325af85-57c1-d6b6-3612-8d0805376030@mit.edu>
Date: Fri, 9 Dec 2022 00:45:06 -0500
MIME-Version: 1.0
Content-Language: en-US
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>, krbdev@mit.edu
From: Greg Hudson <ghudson@mit.edu>
In-Reply-To: <202212072042.2B7Kgi2I012469@hedwig.cmf.nrl.navy.mil>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: krbdev-bounces@mit.edu
On 12/7/22 15:42, Ken Hornstein via krbdev wrote:
> I just now realized that there's not a wonderful way of getting the
> list of realms the KDC is configured to use AND it would be incredibly
> useful if the certauth plugin knew the list of configured KDC realms.
> Is it possible that the realmlist could be passed to the certauth plugin
> initialzer function? I realize that would probably require a major bump
> to the certauth plugin API.
This wouldn't necessarily require a major API bump, but can you
elaborate on what a certauth module would be interested in the
configured realm list, and can't build it up as queries come in?
There's a potential mode of KDC operation where multiple realms live in
the same database, and realms can be added and removed while the KDC is
running. This mode isn't currently supported (the kadmin/kdb5_util
tooling doesn't exist, and the KDC code only 99% supports it), but I'd
like to think carefully about adding plugin interfaces which conflict
with that option.
Does NRL use the current multiple realm KDC support? I have been
assuming that it's very rare to do so, because there isn't equivalent
support in kadmind.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
