[Freeipa-devel] kpasswd and minor fixes

Richard Megginson rmeggins at redhat.com
Thu Aug 9 20:11:34 UTC 2007 

Rob Crittenden wrote:
> Simo Sorce wrote:
>> Attached my latest work in creating a kpasswd daemon that proxies
>> password changes to ldap.
>> This make it possible to completely handle password changes with the
>> pwd-extop plugin and always use the same codepath.
>>
>> As I have been traveling the local commit queue grow up and part of this
>> stuff happened before the directory reorg ...
>>
>> Patches depend one on top of each other from lower number to higher, I
>> omitted any changeset that has already been committed.
>>
>> Simo.
>>
>
> Ignoring freeipa33 and 35...
>
> The freeipa36 patch is a little odd. It removes a bunch of code the 
> re-adds it?
>
> In any case, as a general note I think we need autoconf-enable all of 
> IPA but it currently defaults to installing in /usr as the prefix. 
> This patch puts things into /usr/local. So I guess it should go into 
> /usr as well for the time being.
>
> We'll need to update the RPM spec file to had a BuildRequires on 
> kerberos and openldap (unless we want to link with mozldap).
I would suggest openldap, and use ossl2nss if possible if NSS is required.
>
> Should the IPA installer generate the keytab in 
> FILE:/var/kerberos/krb5kdc/kpasswd.keytab?
>
> The realm name is hardcoded into the source. Can this be a cmd-line or 
> config file option? Ideally it would be read out of /etc/ipa/ipa.conf.
>
> Is kpasswd a daemon? Should it use syslog for logging?
>
> How many concurrent connections at a time do we expect for this 
> service? Should we use poll() instead of select()?
>
> The return value of ldap_pwd_change() is unused. How do we know the 
> change was successful?
>
> There are places where result_err is set but this will never get into 
> kpreply: to actually use the result and return something, I presume to 
> the kerberos client. Instead it goes to done: and frees the connection.
>
> There are cases where the daemon will exit with an error. Are these 
> really unrecoverable?
>
> I don't know kerberos internals so can't really comment on much of the 
> code.
>
> rob
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070809/9a8d27cb/attachment.bin>

More information about the Freeipa-devel mailing list