[Freeipa-devel] kpasswd and minor fixes
Simo Sorce
ssorce at redhat.com
Thu Aug 9 20:39:52 UTC 2007
On Thu, 2007-08-09 at 16:10 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > Attached my latest work in creating a kpasswd daemon that proxies
> > password changes to ldap.
> > This make it possible to completely handle password changes with the
> > pwd-extop plugin and always use the same codepath.
> >
> > As I have been traveling the local commit queue grow up and part of this
> > stuff happened before the directory reorg ...
> >
> > Patches depend one on top of each other from lower number to higher, I
> > omitted any changeset that has already been committed.
> >
> > Simo.
> >
>
> Ignoring freeipa33 and 35...
>
> The freeipa36 patch is a little odd. It removes a bunch of code the
> re-adds it?
>
> In any case, as a general note I think we need autoconf-enable all of
> IPA but it currently defaults to installing in /usr as the prefix. This
> patch puts things into /usr/local. So I guess it should go into /usr as
> well for the time being.
Uhmm I don't think I have touched anything about locations
/me scrathes head
> We'll need to update the RPM spec file to had a BuildRequires on
> kerberos and openldap (unless we want to link with mozldap).
openldap
> Should the IPA installer generate the keytab in
> FILE:/var/kerberos/krb5kdc/kpasswd.keytab?
It should have been there, blame my newbiety with mercurial.
/me will never get it right how the merge process really works :/
> The realm name is hardcoded into the source. Can this be a cmd-line or
> config file option? Ideally it would be read out of /etc/ipa/ipa.conf.
freeipa37.patch fixes this
> Is kpasswd a daemon? Should it use syslog for logging?
yeah I should changed all fprintf(stderr,.. to something that can choose
between syslog and stderr for debugging, it's on my TODO list
> How many concurrent connections at a time do we expect for this service?
> Should we use poll() instead of select()?
it is just for people that change password via the kpasswd protocol. It
should be a very low traffic daemon.
> The return value of ldap_pwd_change() is unused. How do we know the
> change was successful?
this is addressed in freeipa37.patch as well
> There are places where result_err is set but this will never get into
> kpreply: to actually use the result and return something, I presume to
> the kerberos client. Instead it goes to done: and frees the connection.
I think I got all of them in freeipa37.patch, but I will recheck
> There are cases where the daemon will exit with an error. Are these
> really unrecoverable?
Some times they are.
> I don't know kerberos internals so can't really comment on much of the code.
Np, the code works, so I think I got them right ;-)
If you think it is good enough I will push the patch.
Simo.
Simo.
More information about the Freeipa-devel
mailing list