[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Behavioural differences in Heimdal and MIT

Gabor Gombas <gombasg@sztaki.hu> writes:

> Maybe the proper solution would be to allow different backends (LDAP,
> RDBMS etc.) for getting the information that is now contained in the
> .k5login file. That would allow completely avoiding file system access
> until the authentication/authorization process has finished.

Well, authorization doesn't really belong in libkrb5 at all, .k5login
is just an ad-hoc solution to a real-world problem.

> 1. Provide a callback that can be used to replace just the reading of
>    the .k5login file, leaving the content parsing/decision making in
>    Heimdal, or
> 2. Moving the decision making completely to the callback. This is more
>    general but applications may need to implement more logic than with
>    the first approach.

I think .k5login is a bit too simplistic, so I'd vote for 2.