Re: Contribution: Active Directory Password Cache (ITS#5042)

[s.hetze@linux-ag.de]

Hi Pierangelo,

thanx for your comments.

On Mon, Aug 06, 2007 at 09:32:27PM +0200, Pierangelo Masarati wrote:
> Sebastian,
> 
> Thanks for the contribution.
> 
> I have a few comments (also gathered from others):
> 
> 1) you should provide patches against HEAD code; there has been some
> limited changes in the API related to overlay initialization and so.

No problem, I will look into that shortly.

> 
> 2) you could try to rework the overlay to avoid any specific reference
> to Active Directory, since your cache should apply to any remote system
> implementing Kerberos V.  It could be abstracted even more, to act as a
> replacement of saslauthd, by allowing it to auth via LDAP, pam and more,
> not just Kerberos.

Actually, the software was built and tested agains MIT and Heimdal
Kerberos V in the first place, so there is no dependency on AD
whatsoever. The reference to AD is more a marketing issue. I assume
more users looking for an AD password cache than for an Kerberos V
password cache. So I would perfer to keep it.

> 
> 3) you should add a (configurable) TTL, so that the cache could
> eventually be notified of an account lockout at the remote server's side.

I tried to avoid introduction of new attributes for the module. Do you
have any suggestions how this TTL should be stored? Adding pwdPolicy
from ppolicy seems a bit like an overkill to me.

> 
> 4) you should add support for dynamic configuration, so that the module
> can fit into the new configuration paradigm for possible release with 2.4.

I'll look into that.

> 
> 5) you should follow coding guidelines (indentation and so) as in most
> of the code.

I did not find any guidelines other than "Adapt your style to match that
of the block, file, directory, or package that you are working in."
Can you point me to a more detailed explanation of the required
indentation?


Regards,

  Sebastian