Re: Contribution: Active Directory Password Cache (ITS#5042)

[kurt@OpenLDAP.org]

On Aug 6, 2007, at 7:31 PM, ando@sys-net.it wrote:

> Sebastian,
>
> Thanks for the contribution.
>
> I have a few comments (also gathered from others):
>
> 1) you should provide patches against HEAD code; there has been some
> limited changes in the API related to overlay initialization and so.
>
> 2) you could try to rework the overlay to avoid any specific reference
> to Active Directory, since your cache should apply to any remote  
> system
> implementing Kerberos V.  It could be abstracted even more, to act  
> as a
> replacement of saslauthd, by allowing it to auth via LDAP, pam and  
> more,
> not just Kerberos.

s/to act as a replacement/to defer external authentication to saslauthd
or the like/

In slapd(8), we deferred verification against external password  
stores to saslauthd
via the {SASL} userPassword mechanism, thus avoiding needing to  
implement
and support each possible external password store (such as a KDC).   
This module
should likewise avoid supporting (some subset of) external passwords  
stores.
saslauthd(8) can easily be extended (or replaced) to support additional
password stores as needed.  As provided in Cyrus SASL today, it  
supports both
LDAP and Kerberos as external password stores.

>
> 3) you should add a (configurable) TTL, so that the cache could
> eventually be notified of an account lockout at the remote server's  
> side.
>
> 4) you should add support for dynamic configuration, so that the  
> module
> can fit into the new configuration paradigm for possible release  
> with 2.4.
>
> 5) you should follow coding guidelines (indentation and so) as in most
> of the code.
>
> p.