Return-Path: 
 <directory-dev-return-2374-apmail-incubator-directory-dev-archive=incubator.apache.org@incubator.apache.org>
Delivered-To: apmail-incubator-directory-dev-archive@www.apache.org
Received: (qmail 21934 invoked from network); 23 Nov 2004 21:28:36 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur-2.apache.org with SMTP; 23 Nov 2004 21:28:36 -0000
Received: (qmail 51632 invoked by uid 500); 23 Nov 2004 21:28:31 -0000
Delivered-To: apmail-incubator-directory-dev-archive@incubator.apache.org
Received: (qmail 51562 invoked by uid 500); 23 Nov 2004 21:28:30 -0000
Mailing-List: contact directory-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:directory-dev-help@incubator.apache.org>
List-Unsubscribe: <mailto:directory-dev-unsubscribe@incubator.apache.org>
List-Post: <mailto:directory-dev@incubator.apache.org>
List-Id: <directory-dev.incubator.apache.org>
Reply-To: "Apache Directory Developers List"
 <directory-dev@incubator.apache.org>
Delivered-To: mailing list directory-dev@incubator.apache.org
Received: (qmail 51536 invoked by uid 99); 23 Nov 2004 21:28:29 -0000
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=
X-Spam-Check-By: apache.org
Received-SPF: neutral (hermes.apache.org: local policy)
Received: from [216.40.203.202] (HELO ensim1.25oz.com) (216.40.203.202)
  by apache.org (qpsmtpd/0.28) with ESMTP; Tue, 23 Nov 2004 13:28:28 -0800
Received: from [192.168.0.100] (h002078d1eba8.ne.client2.attbi.com
 [66.30.206.209])
	(authenticated bits=0)
	by ensim1.25oz.com (8.12.10/8.12.10) with ESMTP id iANLpwsG006144
	for <directory-dev@incubator.apache.org>; Tue, 23 Nov 2004 16:51:58 -0500
Message-ID: <41A3AB6E.3080501@apache.org>
Date: Tue, 23 Nov 2004 16:28:14 -0500
From: Enrique Rodriguez <erodriguez@apache.org>
User-Agent: Mozilla Thunderbird 0.9 (X11/20041103)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Apache Directory Developers List <directory-dev@incubator.apache.org>
Subject: Re: I'd like to start helping out here
References: <41A3997D.3050401@d-haven.org> <41A3A4A0.9080509@apache.org>
 <41A3A6EB.4070407@d-haven.org>
In-Reply-To: <41A3A6EB.4070407@d-haven.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

Berin Loritsch wrote:
> Enrique Rodriguez wrote:
>> Berin Loritsch wrote:
>> Detection of both of these scenarios should be encapsulated in the 
>> Kerberos ProtocolProvider, but with denial performed as close to the 
>> wire as possible.
>>
>> Additionally, Kerberos admins should be able to clear denied Clients 
>> via management interface, so there should be a way to notify of a 
>> cleared address, too.  This usually happens due to misconfigured clients.
>>
> I personally would start with a windowed blackout time.

Sounds good.  I agree a windowed blackout time should be default.  The 
misconfiguration scenario I describe is a special case, when an admin 
setting up a client makes a mistake and it is specific to configuring 
Kerberos.  Waiting 20 minutes would be a huge inconvenience and 
restarting the services may not be acceptable.

-enrique