-
Notifications
You must be signed in to change notification settings - Fork 2
/
TODO
49 lines (32 loc) · 1.66 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
krb5-sync To-Do List
General:
* Look at http://code.google.com/p/krb5-adsync/ (based on this code) for
what ideas can be incorporated back into this package. Currently, code
cannot be shared due to licensing reasons.
Plugin:
* Support a list of accounts that should be synchronized instead of doing
the configuration by instance.
* In Heimdal, error reporting when the Active Directory configuration
exists but the keytab does not is horrible. Nothing is logged and the
client just gets a generic failure message.
* Support instance-specific roots, DN mappings, and transforms for
accounts (such as would be needed for /sunet instances at Stanford).
* Use krb5_chpw_message to parse AD replies.
Configuration:
* krb5-sync-backend should get the path to Perl from configure.
* Currently, the queue path is hard-coded in krb5-sync-backend even
though for the plugin it's configurable in krb5.conf.
krb5-sync-backend needs to be able to read the krb5.conf value somehow.
Test Suite:
* Provide a way to point to a test realm for testing password change
actions.
* Mock out LDAP libraries to test pushing Active Directory status
changes.
* In krb5-sync-backend, search the user's PATH plus sbin directories for
krb5-sync instead of hard-coding the path to it.
* Add tests for krb5-sync-backend process and purge. This may require a
way to tell krb5-sync-backend which time to use when creating queue
files instead of always using the current time.
* Add tests for allowed instances.
* Add tests for ad_base_instance, which will require initializing a local
Kerberos database and pointing kadm5srv to it.