[Freeipa-devel] another snag with kerberos

Andrew Bartlett abartlet at samba.org
Fri Jul 20 02:11:25 UTC 2007 

On Thu, 2007-07-19 at 09:55 -0700, Pete Rowley wrote:
> Karl MacMillan wrote:

> > That solves our problem assuming that we can somehow handle the
> > authentication through the web gui to the xmlrpc layer. We could:
> >
> > 1) remove the xmlrpc layer (either entirely or just for the web gui)
> >   
> > 2) invent some way to pass who the user is and handle 'local'
> > communication between the gui and xmlrpc layer.
> >
> > We've debated several times whether the xmlrpc layer is truly useful - I
> > like it mainly because it gives a language neutral interface. However,
> > since it is causing a signification amount of complexity (not just this
> > - there is also the API design issues) I suggest we drop it for v1. We
> > can simply use a common python library for the web and commandline
> > interfaces. That should reduce our development time as well.
> >
> > Thoughts?
> >   
> As devil's advocate I feel compelled to point out that an approach that 
> places the system logic into client libraries (rather than on the 
> server) runs the risk of much more resistance to change in the future, 
> since now that change has a greater and more far reaching impact: 
> clients get built, sold, and generally hang around being a nuisance.

I was expecting that as part of 1) above, you would keep XML-RPC for the
command line client, so that you maintain this benefit.  That could then
call the same backend functions as the web gui, and we still only have
one kerberos-authenticated network hop. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070720/3b0a28e4/attachment.sig>

More information about the Freeipa-devel mailing list