[Freeipa-devel] kpasswd and minor fixes

Simo Sorce ssorce at redhat.com
Thu Aug 9 20:39:52 UTC 2007 

On Thu, 2007-08-09 at 16:10 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > Attached my latest work in creating a kpasswd daemon that proxies
> > password changes to ldap.
> > This make it possible to completely handle password changes with the
> > pwd-extop plugin and always use the same codepath.
> > 
> > As I have been traveling the local commit queue grow up and part of this
> > stuff happened before the directory reorg ...
> > 
> > Patches depend one on top of each other from lower number to higher, I
> > omitted any changeset that has already been committed.
> > 
> > Simo.
> >
> 
> Ignoring freeipa33 and 35...
> 
> The freeipa36 patch is a little odd. It removes a bunch of code the 
> re-adds it?
> 
> In any case, as a general note I think we need autoconf-enable all of 
> IPA but it currently defaults to installing in /usr as the prefix. This 
> patch puts things into /usr/local. So I guess it should go into /usr as 
> well for the time being.

Uhmm I don't think I have touched anything about locations
/me scrathes head

> We'll need to update the RPM spec file to had a BuildRequires on 
> kerberos and openldap (unless we want to link with mozldap).

openldap

> Should the IPA installer generate the keytab in 
> FILE:/var/kerberos/krb5kdc/kpasswd.keytab?

It should have been there, blame my newbiety with mercurial.
/me will never get it right how the merge process really works :/

> The realm name is hardcoded into the source. Can this be a cmd-line or 
> config file option? Ideally it would be read out of /etc/ipa/ipa.conf.

freeipa37.patch fixes this

> Is kpasswd a daemon? Should it use syslog for logging?

yeah I should changed all fprintf(stderr,.. to something that can choose
between syslog and stderr for debugging, it's on my TODO list

> How many concurrent connections at a time do we expect for this service? 
> Should we use poll() instead of select()?

it is just for people that change password via the kpasswd protocol. It
should be a very low traffic daemon.

> The return value of ldap_pwd_change() is unused. How do we know the 
> change was successful?

this is addressed in freeipa37.patch as well

> There are places where result_err is set but this will never get into 
> kpreply: to actually use the result and return something, I presume to 
> the kerberos client. Instead it goes to done: and frees the connection.

I think I got all of them in freeipa37.patch, but I will recheck

> There are cases where the daemon will exit with an error. Are these 
> really unrecoverable?

Some times they are.

> I don't know kerberos internals so can't really comment on much of the code.

Np, the code works, so I think I got them right ;-)

If you think it is good enough I will push the patch.

Simo.

Simo.

More information about the Freeipa-devel mailing list