Re: Contribution: Active Directory Password Cache (ITS#5042)

Monday, 6 August 2007

On Aug 6, 2007, at 7:31 PM, ando(a)sys-net.it wrote:

...
 Sebastian,

 Thanks for the contribution.

 I have a few comments (also gathered from others):

 1) you should provide patches against HEAD code; there has been some
 limited changes in the API related to overlay initialization and so.

 2) you could try to rework the overlay to avoid any specific reference
 to Active Directory, since your cache should apply to any remote  
 system
 implementing Kerberos V.  It could be abstracted even more, to act  
 as a
 replacement of saslauthd, by allowing it to auth via LDAP, pam and  
 more,
 not just Kerberos. 
s/to act as a replacement/to defer external authentication to saslauthd
or the like/

In slapd(8), we deferred verification against external password  
stores to saslauthd
via the {SASL} userPassword mechanism, thus avoiding needing to  
implement
and support each possible external password store (such as a KDC).   
This module
should likewise avoid supporting (some subset of) external passwords  
stores.
saslauthd(8) can easily be extended (or replaced) to support additional
password stores as needed.  As provided in Cyrus SASL today, it  
supports both
LDAP and Kerberos as external password stores.

...

 3) you should add a (configurable) TTL, so that the cache could
 eventually be notified of an account lockout at the remote server's  
 side.

 4) you should add support for dynamic configuration, so that the  
 module
 can fit into the new configuration paradigm for possible release  
 with 2.4.

 5) you should follow coding guidelines (indentation and so) as in most
 of the code.

 p. 

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006