krb5-sync To-Do List
* Look at http://code.google.com/p/krb5-adsync/ (based on this code) for
what ideas can be incorporated back into this package. Currently, code
cannot be shared due to licensing reasons.
* Support a list of accounts that should be synchronized instead of doing
the configuration by instance.
* In Heimdal, error reporting when the Active Directory configuration
exists but the keytab does not is horrible. Nothing is logged and the
client just gets a generic failure message.
* Support instance-specific roots, DN mappings, and transforms for
accounts (such as would be needed for /sunet instances at Stanford).
* Use krb5_chpw_message to parse AD replies.
* krb5-sync-backend should get the path to Perl from configure.
* Currently, the queue path is hard-coded in krb5-sync-backend even
though for the plugin it's configurable in krb5.conf.
krb5-sync-backend needs to be able to read the krb5.conf value somehow.
* Provide a way to point to a test realm for testing password change
* Mock out LDAP libraries to test pushing Active Directory status
* In krb5-sync-backend, search the user's PATH plus sbin directories for
krb5-sync instead of hard-coding the path to it.
* Add tests for krb5-sync-backend process and purge. This may require a
way to tell krb5-sync-backend which time to use when creating queue
files instead of always using the current time.
* Add tests for allowed instances.
* Add tests for ad_base_instance, which will require initializing a local
Kerberos database and pointing kadm5srv to it.