Initial implementation of enctype restriction with a basic test suite.

Still needs a more comprehensive test suite.

Remove all attributes for a keytab object when it is destroyed so that
when the object is recreated, it doesn't inherit attributes from its
previous self.  Add a test case for that for the sync attribute.

1 files changed, 6 insertions, 4 deletions

diff --git a/docs/design-api b/docs/design-api
index 8c5c1d5..cb4bfa6 100644
--- a/docs/design-api
+++ b/docs/design-api
@@ -76,10 +76,12 @@ Object API
 
     Destroys the given object.  Backend implementations should override
     this method if they need to destroy the object in an external system
-    and then call the parent method to do the database cleanup.  For
-    example, the keytab backend overrides this method to destroy the
-    principal in the Kerberos KDC.  Be careful not to require that the
-    object exist in a remote system for destroy() to work, since an
+    or if they have any object-specific attributes to remove.  Overriding
+    methods should then call the parent method to do the database cleanup.
+    For example, the keytab backend overrides this method to destroy the
+    principal in the Kerberos KDC and remove the enctypes and sync
+    attribute data from auxiliary tables.  Be careful not to require that
+    the object exist in a remote system for destroy() to work, since an
     administrator will want to destroy an orphaned wallet database entry
     after something happened to the remote system entry.