Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) Subject: kadm5_hook needs a way to prevent looping X-RT-Original-Encoding: iso-8859-1 Content-Length: 1103 kadm5_hook can be used for synchronization from an MIT krb5 realm to another realm. If the synchronization is bidirectional, we need a way to detect whether the kadm5 operation came from an incoming synchronization operation or whether the operation is original to this realm. Currently there is no good way to know. John Hascall suggested that knowing the invoking principal would be sufficient. There are a few options: 1. Add a new optional version of each method, to be used in preference to the old method. Lots of churn. 2. Rev the major version of the pluggable interface. Also lots of churn. 3. Only rev the chpass method, on the theory that bidirectional synchronization is usually only done for password changes. 4. Add an optional method to receive the invoker, which we call before the pre-commit stage of each operation. The module can remember this in the kadm5_hook_modinfo object. Not terribly elegant because it uses a long-lived state object to hold a short-lived value, but functional. See also: http://mailman.mit.edu/pipermail/kerberos/2015-May/020684.html