The kadm5 system was originally written outside of the krb5 tree. Under the assumption that policy names and password history would only be used by the kadmin system, they were packaged together into KRB5_TL_KADM_DATA tl-data using xdr marshalling code which lives in libkadm5srv. To the rest of the tree, it's all opaque. Over time the architecture has changed, and it is no longer true that the kadm5 tl-data is only of interest to the kadmin system. Since it was introduce in 1.6, the LDAP KDB module has needed to unmarshal the kadm5 data in order to normalize it into specific fields. It currently does so by duplicating the marshalling code. The FreeIPA KDB module also needs to do this; as it has no access to libkadm5srv private functions, it presumably duplicates the marshalling code as well. Also, since 1.8, both in-tree KDB modules need to access the policy name in order to do lockout enforcement. (Over time, this policy lookup will probably migrate to the code KDC code, but right now it's done in the modules.) This is currently done by using the private functions from libkadm5srv. We should move the marshalling code into libkdb5 and add APIs similar to krb5_dbe_update_last_pwd_change for accessing it.