[kmf-discuss] DN/subjectAltName mapping to username
Jan Pechanec
Jan.Pechanec at Sun.COM
Thu Dec 20 09:51:20 PST 2007
On Thu, 20 Dec 2007, Wyllys Ingersoll wrote:
>> do you mean that it could be dynamic, ie. that the mapping could be
>> done in an external module that would be dlopen()'ed, for example? So
>> that adding a new mapping wouldn't need a change in KMF itself or
>> DTD?
>
> The mapping would be applied down inside of the kmf_map_cert_to_user()
> function according to whatever is specified in the policy associated
> with the KMF handle. Nothing would need to be dlopen-ed. One can
> always call kmf_set_policy() to change the policy currently associated
> with the KMF handle which re-reads the policy file and should catch any
> updates.
>
> Adding a new mapping would not require a change to the DTD, though it would
> require an update of the KMF policy file via kmfcfg(1).
ok, so adding a new type of mapping would also need to add some code
to libkmf(3LIB). I was just thinking if allowing an admin to add a new
mapping implementation on the fly could be useful. J.
--
Jan Pechanec
More information about the kmf-discuss
mailing list