| Russ Allbery > Software > Orphaned Software > krb5-sync |
General:
Look at http://code.google.com/p/krb5-adsync/ (based on this code) for what ideas can be incorporated back into this package. Currently, code cannot be shared due to licensing reasons.
Plugin:
Support a list of accounts that should be synchronized instead of doing the configuration by instance.
In Heimdal, error reporting when the Active Directory configuration exists but the keytab does not is horrible. Nothing is logged and the client just gets a generic failure message.
Support instance-specific roots, DN mappings, and transforms for accounts (such as would be needed for /sunet instances at Stanford).
Use krb5_chpw_message to parse AD replies.
Configuration:
krb5-sync-backend should get the path to Perl from configure.
Currently, the queue path is hard-coded in krb5-sync-backend even though for the plugin it's configurable in krb5.conf. krb5-sync-backend needs to be able to read the krb5.conf value somehow.
Test Suite:
Provide a way to point to a test realm for testing password change actions.
Mock out LDAP libraries to test pushing Active Directory status changes.
In krb5-sync-backend, search the user's PATH plus sbin directories for krb5-sync instead of hard-coding the path to it.
Add tests for krb5-sync-backend process and purge. This may require a way to tell krb5-sync-backend which time to use when creating queue files instead of always using the current time.
Add tests for allowed instances.
Add tests for ad_base_instance, which will require initializing a local Kerberos database and pointing kadm5srv to it.
| Russ Allbery > Software > Orphaned Software > krb5-sync |