Jakub Hrozek wrote:
This series of patches implement creation of kdcinfo files when
GSSAPI
is used with pure LDAP provider.
[PATCH 1/4] Add KDC to the list of LDAP options
A simple patch that adds a way to specify the KDC
What about man pages? If we add an option should we update man pages?
[PATCH 2/4] Report Kerberos error code from ldap_child_get_tgt_sync
While looking at the ldap_child code, I noticed that the call to
ldap_child_get_tgt_sync should return the Kerberos specific error code
rather than errno.
[PATCH 3/4] Make ldap_child report kerberos return code to parent
The buffer used to communicate between parent and child now contains a
new parameter which is the Kerberos error code. An example of use of
this is detecting that KDC was unreachable in the following patch.
[PATCH 4/4] Initialize kerberos service for GSSAPI
I'm not very fond of patch #4 myself - the reason is that as far as I
remember, the sdap_ modules were meant to be a rather thin wrapper to
provide an "async set of LDAP calls", the provider and backend-specific
calls belong one level up, to the ldap_ modules. However, in order to
support fail over in during sdap_kinit_, I used the be_resolve_ family
functions there, which looks like breaking the abstraction level quite a
bit. If there are any suggestions on how to accomplish the kinit w/ fail
over better, I'll be glad to hear them.
-------------------------
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/