Christian Heimes

Either in the main process of we fork off a logging process. Python has a watching file handler that handles flush, close and reopen: https://github.com/python/cpython/blob/3.6/Lib/logging/handlers.py#L446

@Alan-R we don't have any resources to work on a HashiCorp Vault plugin in the near future. But that doesn't have to stop you. Custodia is extensible and you can...

> > Heimdal does not support IAKERB, no. > > Well, to be pedantic, Heimdal does (in Apple's implementation). So it wouldn't be impossible to merge their code. A co-worker...

Custodia currently accepts all valid client certificate that are trusted by the CA (global option ```tls_cafile```). There is no additional filtering or support for CRL or OCSP status checks. IMO...

Which variant do you prefer as default? In the long run it might be useful to have compare-and-swap feature. For some storage engines CAS can be implemented atomic, e.g. SQL.

The build Ansible playbook fails because it doesn't know about `freeipa.sysusers` file.

`SSLContext` is designed to be shared and used for multiple connections. It is thread safe as long as you don't reconfigure it once it is used by a connection. Adding...

See #2118 I recommend that you either use urllib3 directly or switch to httpx. Most of the secret sauce of requests is in urllib3. httpx has HTTP/2 support.

I find it confusing how the API object is passed around. How about you include the api in the transport instance and get the callback from `self.api` instead? ``` class...

One place does not pass `service` to `_handle_exception`: https://github.com/freeipa/freeipa/blob/64861a0cf9a8ac18d83a206c11fd3b42be3c578c/ipalib/rpc.py#L736-L737