[OpenAFS-devel] Preliminary K5 user class API for the Java API for AFS administration

[Ken Hornstein]

>I have attached a draft of the K5 user class API as well as its associated
>password policy class API.  We are interested in your thoughts on this
>topic and invite comments and advice regarding the use, implementation, and
>entry details of a K5 user.
>
>As I mentioned above, we have modeled this initial K5 user class after the
>kadmin command, however we are interested in implementing this class with a
>library.  For KaServer, there is the OpenAFS libkasadmin library.  Does
>anybody know of similar libraries for K5?

I can't speak for the Java parts ... but let me speak a bit to the admin
server interface.

There is at this time no standard for a Kerberos 5 admin server protocol.
There is some interesting work in defining a LDAP schema for Kerberos
databases; while I personally wouldn't store my principal data in an LDAP
database, writing an LDAP front-end to the current admin server would be
very cool.

Currently the MIT admin client (kadmin) uses the libkadm5clnt library, and
this library is even mostly documented (check out the "doc" directory in the
MIT distribution).  However, the protocol used to communicate with the admin
server and the API is MIT specific; Heimdal _may_ implement it (Heimdal
guys, speak up?) but an Microsoft KDC, for example, will not.  We're starting
to see people who are using OpenAFS with Microsoft KDCs, so anything you do
won't be universal.

--Ken