[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Contribution: Active Directory Password Cache (ITS#5042)

To: openldap-its@OpenLDAP.org
Subject: Re: Contribution: Active Directory Password Cache (ITS#5042)
From: ando@sys-net.it
Date: Tue, 7 Aug 2007 09:34:57 GMT

s.hetze@linux-ag.de wrote:

>> 2) you could try to rework the overlay to avoid any specific reference
>> to Active Directory, since your cache should apply to any remote system
>> implementing Kerberos V.  It could be abstracted even more, to act as a
>> replacement of saslauthd, by allowing it to auth via LDAP, pam and more,
>> not just Kerberos.
> 
> Actually, the software was built and tested agains MIT and Heimdal
> Kerberos V in the first place, so there is no dependency on AD
> whatsoever. The reference to AD is more a marketing issue. I assume
> more users looking for an AD password cache than for an Kerberos V
> password cache. So I would perfer to keep it.

I understand this, and I think it's just fine to advertise it like that, 
but in the code I'd prefer to avoid, for example, naming all variables 
after "ad" something.  Perhaps s/adpwc/extpwc/ would be a little bit better?

>> 3) you should add a (configurable) TTL, so that the cache could
>> eventually be notified of an account lockout at the remote server's side.
> 
> I tried to avoid introduction of new attributes for the module. Do you
> have any suggestions how this TTL should be stored? Adding pwdPolicy
> from ppolicy seems a bit like an overkill to me.

Well, that could be a parameter that is provided through the 
configuration (caching TTL, optional negative caching TTL, and so).  It 
doesn't need to be stored in the entry, or in a subentry, since dynamic 
configuration would allow to modify it run-time anyway.

>> 4) you should add support for dynamic configuration, so that the module
>> can fit into the new configuration paradigm for possible release with 2.4.
> 
> I'll look into that.

If you need help, please holler.  However, I see that for such a simple 
(from a configuration point of view) module, looking into smbk5pwd 
should suffice.

>> 5) you should follow coding guidelines (indentation and so) as in most
>> of the code.
> 
> I did not find any guidelines other than "Adapt your style to match that
> of the block, file, directory, or package that you are working in."
> Can you point me to a more detailed explanation of the required
> indentation?

There isn't actually, but looking into any "recent" piece of code would 
suffice; things like: use tabs for indent, leave spaces in brackets and 
so... not a big deal, though.

Cheers, p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------

Prev by Date: Re: Contribution: Active Directory Password Cache (ITS#5042)
Next by Date: Re: Contribution: Active Directory Password Cache (ITS#5042)
Index(es):
- Chronological
- Thread