Skip Menu |
 

Subject: kadm5_hook needs a way to prevent looping
kadm5_hook can be used for synchronization from an MIT krb5 realm to
another realm. If the synchronization is bidirectional, we need a
way to detect whether the kadm5 operation came from an incoming
synchronization operation or whether the operation is original to
this realm. Currently there is no good way to know. John Hascall
suggested that knowing the invoking principal would be sufficient.

There are a few options:

1. Add a new optional version of each method, to be used in
preference to the old method. Lots of churn.

2. Rev the major version of the pluggable interface. Also lots of
churn.

3. Only rev the chpass method, on the theory that bidirectional
synchronization is usually only done for password changes.

4. Add an optional method to receive the invoker, which we call
before the pre-commit stage of each operation. The module can
remember this in the kadm5_hook_modinfo object. Not terribly elegant
because it uses a long-lived state object to hold a short-lived
value, but functional.

See also:

http://mailman.mit.edu/pipermail/kerberos/2015-May/020684.html