Russ Allbery > Software > Orphaned Software > kadmin-remctl | kadmin-remctl Design > |
General:
The current kadmin-remctl API is rather lame and is only used for historical reasons at Stanford. Introduce a new, cleaner API with better structure to the error reporting and replace the current API with that.
kadmin-remctl is really applying a set of operations against different realms (AFS kaserver, Kerberos v5, and Active Directory) based on per-instance configuration. Generalize this by using multiple modules that serve as providers that perform operations and set rollbacks, so that we can determine the provider stack to run and then just run it.
kadmin-remctl-heim largely duplicates kadmin-remctl. Refactoring everything into modules should reduce code duplication considerably.
kadmin:
Talking to kadmin and kpasswd via Expect is obviously an ugly hack only done because it was expedient. We should instead be using an appropriate Perl module and a native API. For password changing, this would mean enhancing the Authen::Krb5 Perl module to provide an API to the password changing functions to do something similar to kpasswd. kadmin is harder, since MIT Kerberos doesn't provide a usable API to the kadmin client libraries. Authen::Krb5::Admin hacks around this by defining the API itself, but may not work with all versions of Kerberos and is fragile.
It would be nice to be able to use the same modules for kadmin calls in wallet as we use here.
Look at using IPC::Run for the communication to programs instead of rolling our own.
Add a way to set the password expiration time as well as the principal expiration time.
Active Directory:
kadmin-remctl should use Net::LDAP or Net::LDAPapi rather than calling the external OpenLDAP utilities.
We don't roll back Active Directory account creation if Kerberos account creation failed any more. Fix that, which probably requires making all of the underlying routines return error messages rather than doing the exiting themselves.
The examine function should also do an LDAP lookup against Active Directory if configured to use AD.
Configuration:
Rather than make password strength checking a boolean and hard-coding the policy name, have the password strength checking option take the name of the password policy to use.
There should be an easier way of setting defaults for passwd_change than patching it at build-time, even though it also supports krb5.conf parameters.
kadmin-backend's check_passwd option could use the username to check other things, such as whether the password is based on the username and whether the user is reusing their current password (although it still couldn't be guaranteed to match every error from change_passwd).
Support two configurations for Active Directory: assuming password changes propagate, or separate password changes in Active Directory. Right now, we select based on whether there's a K5 configuration, which is rather ugly.
Russ Allbery > Software > Orphaned Software > kadmin-remctl | kadmin-remctl Design > |