On Wed, Sep 03, 2008 at 02:52:21PM +0200, Mark Phalan wrote:
> Hi Will,
>
> With MIT Kerberos the following directory structure is used to store
> plugins:
>
> <prefix>/lib/krb5/plugins
> <prefix>/lib/krb5/plugins/kdb
> <prefix>/lib/krb5/plugins/kdb/db2.so
> <prefix>/lib/krb5/plugins/preauth
> <prefix>/lib/krb5/plugins/preauth/pkinit.so
>
> Was there any reason you didn't follow the MIT convention with plugin
> directories when integrating the LDAP plugin support?
I can not remember what I was thinking at the time but I'm guessing that
since the KDB plugins are explicitly configured in krb5.conf with the:
The [dbmodules] Section
This section consists of relations that provide configura-
tion information for plug-in modules. In particular, the
relations describe the configuration for LDAP KDB plug-in.
Note that use of the db2 KDB plug-in is the default behavior
and that this section does not need to be filled out in that
case.
db_library
Name of the plug-in library. To use the LDAP KDB plug-in
the name must be kdb_ldap. The default value is db2.
db_module_dir
Path to the plug-in libraries. The default is
/usr/lib/krb5.
that it kept the config simpler. Note that these were the parameters
used at the time I ported the MIT ldap plugin code to Solaris. It is
possible that things have changed since in the MIT tree. For example I
see that they do not have a db_module_dir so I bet the code now has more
assumptions about the plugin dir structure.
So the choices are:
1. Leave the KDB plugins where they are and use the plugins/preauth
dir structure for the preauth plugins.
2. Move the KDB plugins as well but this will entail some documentation
modification and a ARC review.
> The way the pre-auth plugin support works is that it will scan a
> directory for plugins - if /usr/lib/krb5 is used for that it will dlopen
> every binary there when trying to determine if it is a plugin or not.
>
> It seems to me that it would be cleaner for the pre-auth plugins to be
> located in a separate sub-directory otherwise all objects
> in /usr/lib/krb/ will be dlopen'ed when looking for plugins.
> If we do this for the pre-auth plugins it would make sense for the same
> to be done for the kdb plugins.
>
> Would anyone object if the plugins were layed out as follows?
>
> /usr/lib/krb5/preauth/
> /usr/lib/krb5/preauth/pkinit.so
> /usr/lib/krb5/kdb/
> /usr/lib/krb5/kdb/db2.so
> /usr/lib/krb5/kdb/kldap.so
Doesn't bother me for the preauth plugins, see my comment above for the
kdb plugins.
> Would we need a PSARC case to move the db2 and ldap plugins (maybe could
> be rolled into the PKINIT PSARC case?) ?
Again, see my first comment.
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
