[Freeipa-devel] kpasswd and minor fixes

Rob Crittenden rcritten at redhat.com
Thu Aug 9 20:56:23 UTC 2007 

Rob Crittenden wrote:
> Simo Sorce wrote:
>> On Thu, 2007-08-09 at 16:10 -0400, Rob Crittenden wrote:
>>> Simo Sorce wrote:
>>>> Attached my latest work in creating a kpasswd daemon that proxies
>>>> password changes to ldap.
>>>> This make it possible to completely handle password changes with the
>>>> pwd-extop plugin and always use the same codepath.
>>>>
>>>> As I have been traveling the local commit queue grow up and part of 
>>>> this
>>>> stuff happened before the directory reorg ...
>>>>
>>>> Patches depend one on top of each other from lower number to higher, I
>>>> omitted any changeset that has already been committed.
>>>>
>>>> Simo.
>>>>
>>> Ignoring freeipa33 and 35...
>>>
>>> The freeipa36 patch is a little odd. It removes a bunch of code the 
>>> re-adds it?
>>>
>>> In any case, as a general note I think we need autoconf-enable all of 
>>> IPA but it currently defaults to installing in /usr as the prefix. 
>>> This patch puts things into /usr/local. So I guess it should go into 
>>> /usr as well for the time being.
>>
>> Uhmm I don't think I have touched anything about locations
>> /me scrathes head
> 
> In this patch it installs the daemon into /usr/local/sbin rather than 
> /usr/sbin. We should be doing our directly hardcoding at least 
> consistently IMHO
> 
>>> We'll need to update the RPM spec file to had a BuildRequires on 
>>> kerberos and openldap (unless we want to link with mozldap).
>>
>> openldap
>>
>>> Should the IPA installer generate the keytab in 
>>> FILE:/var/kerberos/krb5kdc/kpasswd.keytab?
>>
>> It should have been there, blame my newbiety with mercurial.
>> /me will never get it right how the merge process really works :/
>>
>>> The realm name is hardcoded into the source. Can this be a cmd-line 
>>> or config file option? Ideally it would be read out of 
>>> /etc/ipa/ipa.conf.
>>
>> freeipa37.patch fixes this
>>
>>> Is kpasswd a daemon? Should it use syslog for logging?
>>
>> yeah I should changed all fprintf(stderr,.. to something that can choose
>> between syslog and stderr for debugging, it's on my TODO list
>>
>>> How many concurrent connections at a time do we expect for this 
>>> service? Should we use poll() instead of select()?
>>
>> it is just for people that change password via the kpasswd protocol. It
>> should be a very low traffic daemon.
>>
>>> The return value of ldap_pwd_change() is unused. How do we know the 
>>> change was successful?
>>
>> this is addressed in freeipa37.patch as well
>>
>>> There are places where result_err is set but this will never get into 
>>> kpreply: to actually use the result and return something, I presume 
>>> to the kerberos client. Instead it goes to done: and frees the 
>>> connection.
>>
>> I think I got all of them in freeipa37.patch, but I will recheck
>>
>>> There are cases where the daemon will exit with an error. Are these 
>>> really unrecoverable?
>>
>> Some times they are.
>>
>>> I don't know kerberos internals so can't really comment on much of 
>>> the code.
>>
>> Np, the code works, so I think I got them right ;-)
>>
>> If you think it is good enough I will push the patch.
>>
>> Simo.
>>
>> Simo.
>>
> 
> Well, maybe we should look at freeipa37.patch :-)
> 
> rob

Oh, wait, I didn't notice the other patches. I guess I'll try applying 
these all to a tree to see what the end result looks like.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070809/c418d5e7/attachment.bin>

More information about the Freeipa-devel mailing list