Network Working Group Rajasekaran Nagarajan Internet-Draft K.G.Gokulavasan Expires: February 4, 2007 Novell, Inc. August 3, 2006 Kerberos version 5 schema for LDAP Directories draft-rajasekaran-kerberos-ldap-schema-01 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on February 4, 2007. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This document describes a schema for storing Kerberos version 5 information in LDAP directories. The information includes the attributes and object classes that define realm, KDC, administration server, password server, principal and policy. Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 1] Internet-Draft Kerberos schema for LDAP August 2006 Table of Contents 1. Requirements notation . . . . . . . . . . . . . . . . . . . 4 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Attributes Type Definitions . . . . . . . . . . . . . . . . 6 3.1 krbPrincipalName . . . . . . . . . . . . . . . . . . . . . 6 3.2 krbPrincipalType . . . . . . . . . . . . . . . . . . . . . 6 3.3 krbPrincipalKey . . . . . . . . . . . . . . . . . . . . . 7 3.4 krbPasswordExpiration . . . . . . . . . . . . . . . . . . 8 3.5 krbUPEnabled . . . . . . . . . . . . . . . . . . . . . . . 8 3.6 krbPrincipalExpiration . . . . . . . . . . . . . . . . . . 9 3.7 krbTicketPolicyReference . . . . . . . . . . . . . . . . . 9 3.8 krbTicketFlags . . . . . . . . . . . . . . . . . . . . . . 10 3.9 krbMaxTicketLife . . . . . . . . . . . . . . . . . . . . . 10 3.10 krbMaxRenewableAge . . . . . . . . . . . . . . . . . . . 11 3.11 krbRealmReferences . . . . . . . . . . . . . . . . . . . 11 3.12 krbLdapServers . . . . . . . . . . . . . . . . . . . . . 12 3.13 krbSubTrees . . . . . . . . . . . . . . . . . . . . . . 12 3.14 krbKdcServers . . . . . . . . . . . . . . . . . . . . . 13 3.15 krbAdmServers . . . . . . . . . . . . . . . . . . . . . 13 3.16 krbPwdServers . . . . . . . . . . . . . . . . . . . . . 14 3.17 krbSupportedEncTypes . . . . . . . . . . . . . . . . . . 14 3.18 krbSupportedSaltTypes . . . . . . . . . . . . . . . . . 14 3.19 krbDefaultEncSaltTypes . . . . . . . . . . . . . . . . . 15 3.20 krbHostServer . . . . . . . . . . . . . . . . . . . . . 15 3.21 krbSearchScope . . . . . . . . . . . . . . . . . . . . . 16 3.22 krbPrincNamingAttr . . . . . . . . . . . . . . . . . . . 16 3.23 krbMaxPwdLife . . . . . . . . . . . . . . . . . . . . . 17 3.24 krbMinPwdLife . . . . . . . . . . . . . . . . . . . . . 17 3.25 krbPwdMinDiffChars . . . . . . . . . . . . . . . . . . . 18 3.26 krbPwdMinLength . . . . . . . . . . . . . . . . . . . . 18 3.27 krbPwdHistoryLength . . . . . . . . . . . . . . . . . . 18 3.28 krbPolicyRefCount . . . . . . . . . . . . . . . . . . . 19 3.29 krbPwdPolicyReference . . . . . . . . . . . . . . . . . 19 3.30 krbPwdHistory . . . . . . . . . . . . . . . . . . . . . 20 3.31 krbLastPwdChange . . . . . . . . . . . . . . . . . . . . 21 3.32 krbMKey . . . . . . . . . . . . . . . . . . . . . . . . 21 3.33 krbPrincipalAliases . . . . . . . . . . . . . . . . . . 22 3.34 krbLastSuccessfulAuth . . . . . . . . . . . . . . . . . 22 3.35 krbLastFailedAuth . . . . . . . . . . . . . . . . . . . 23 3.36 krbLoginFailedCount . . . . . . . . . . . . . . . . . . 23 3.37 krbExtraData . . . . . . . . . . . . . . . . . . . . . . 24 3.38 krbPrincipalReferences . . . . . . . . . . . . . . . . . 24 3.39 krbObjectReferences . . . . . . . . . . . . . . . . . . 24 3.40 krbPrincContainerRef . . . . . . . . . . . . . . . . . . 25 4. Object Class Definitions . . . . . . . . . . . . . . . . . . 26 4.1 krbContainer . . . . . . . . . . . . . . . . . . . . . . . 26 4.2 krbRealmContainer . . . . . . . . . . . . . . . . . . . . 26 Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 2] Internet-Draft Kerberos schema for LDAP August 2006 4.3 krbService . . . . . . . . . . . . . . . . . . . . . . . . 27 4.4 krbKdcService . . . . . . . . . . . . . . . . . . . . . . 27 4.5 krbAdmService . . . . . . . . . . . . . . . . . . . . . . 28 4.6 krbPwdService . . . . . . . . . . . . . . . . . . . . . . 28 4.7 krbTicketPolicyAux . . . . . . . . . . . . . . . . . . . . 28 4.8 krbTicketPolicy . . . . . . . . . . . . . . . . . . . . . 29 4.9 krbPrincipalAux . . . . . . . . . . . . . . . . . . . . . 29 4.10 krbPrincipal . . . . . . . . . . . . . . . . . . . . . . 29 4.11 krbPwdPolicy . . . . . . . . . . . . . . . . . . . . . . 30 4.12 krbPrincRefAux . . . . . . . . . . . . . . . . . . . . . 30 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . 31 5.1 Object Identifier Registration . . . . . . . . . . . . . . 31 5.2 Object Identifier Descriptors . . . . . . . . . . . . . . 31 6. Security Considerations . . . . . . . . . . . . . . . . . . 34 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 35 Intellectual Property and Copyright Statements . . . . . . . 36 Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 3] Internet-Draft Kerberos schema for LDAP August 2006 1. Requirements notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 4] Internet-Draft Kerberos schema for LDAP August 2006 2. Introduction This document defines LDAP schema elements for storing Kerberos version 5 (see [RFC4120] and [RFC1964]) information in LDAP v3 compliant directories. This includes the attribute definitions, object classes, naming attributes and containment rules for the Kerberos entities, namely realm, KDC, administration server, password server, principal and policy. Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 5] Internet-Draft Kerberos schema for LDAP August 2006 3. Attributes Type Definitions As the OIDs for the attributes in this document have not been assigned, IANA-ASSIGNED-OID has been used as a placeholder until real OIDs are assigned. 3.1 krbPrincipalName This attribute contains the principal name for the principal in the format as per the [RFC1964] specification. This attribute value has to be unique in the directory. Definition: ( IANA-ASSIGNED-OID.4.1 NAME 'krbPrincipalName' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) Used In: krbPrincipalAux krbPrincipal Values: The set of allowed values for this attribute is based on the principal identifier format that is specified in the [RFC1964] section 2.1.1. A principal identifier consists of the principal name followed by the "@" symbol and then the realm name. 3.2 krbPrincipalType Holds the type of the principal. Definition: ( IANA-ASSIGNED-OID.4.2 NAME 'krbPrincipalType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Used In: krbPrincipalAux Values: The values that this attribute can hold is specified in the [RFC4120] in the section 6.2. Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 6] Internet-Draft Kerberos schema for LDAP August 2006 3.3 krbPrincipalKey This attribute stores the kerberos key of a principal. This key can be optionally encrypted with the master key of the realm. Only the key portion is encrypted and rest are in clear. As the principals can have multiple versions of the keys, this attribute is a multivalued attribute. Moreover, for each version, there may be multiple values corresponding to the key / salt type pair. The choice of which key to use, when ticket requests are made, is determined by the choice of the key type in the request and the availability of that key type for the principal in its set of multivalued attribute. This attribute replaces the krbSecretKey attribute which was present in the previous version of the draft. Definition: ( IANA-ASSIGNED-OID.4.3 NAME 'krbPrincipalKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) Used In: krbPrincipalAux Values: The attribute is ASN.1 encoded. The format of the value for this attribute is explained below, UInt16 ::= INTEGER (0..65535) Int32 ::= INTEGER (-2147483648..2147483647) UInt32 ::= INTEGER (0..4294967295) KrbKeySet ::= SEQUENCE { attribute-major-vno [0] UInt16, attribute-minor-vno [1] UInt16, kvno [2] UInt32, mkvno [3] UInt32 OPTIONAL, keys [4] SEQUENCE OF KrbKey, ... } KrbKey ::= SEQUENCE { salt [0] KrbSalt OPTIONAL, Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 7] Internet-Draft Kerberos schema for LDAP August 2006 key [1] EncryptionKey } KrbSalt ::= SEQUENCE { type [0] Int32, salt [1] OCTET STRING } EncryptionKey ::= SEQUENCE { keytype [0] Int32, keyvalue [1] OCTET STRING } 3.4 krbPasswordExpiration This attribute holds the time at which the principal's password expires. Definition: ( IANA-ASSIGNED-OID.4.4 NAME 'krbPasswordExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) Used In: krbPrincipalAux Values: Principal's password expiration time. 3.5 krbUPEnabled This attribute is used to decide whether to use the directory User password as the Kerberos password for the principals in a realm. This can be used, if the directory can provide access to the clear text password of the users from which kerberos keys can be generated. Definition: ( IANA-ASSIGNED-OID.4.5 NAME 'krbUPEnabled' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE) Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 8] Internet-Draft Kerberos schema for LDAP August 2006 Used In: krbPrincipalAux krbRealmContainer Values: True: if directory User password has to be used as Kerberos password. False: if Kerberos password is different from the directory password 3.6 krbPrincipalExpiration This attribute holds the time at which the principal expires. Definition: ( IANA-ASSIGNED-OID.4.6 NAME 'krbPrincipalExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) Used In: krbPrincipalAux Values: Principal expiration time. 3.7 krbTicketPolicyReference Holds a reference to a Kerberos ticket policy. This attribute replaces the krbPolicyReference attribute which was present in the previous version of the draft. Definition: ( IANA-ASSIGNED-OID.4.7 NAME 'krbTicketPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE) Used In: krbPrincipalAux krbRealmContainer Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 9] Internet-Draft Kerberos schema for LDAP August 2006 Values: DN of a kerberos ticket policy object. 3.8 krbTicketFlags This attribute stores the allowed ticket flags that can be requested by a principal. The [RFC4120] specified flags could be found on page 67 and page 75 of the RFC. The stored bit flags are interpreted by the code and translated to the [RFC4120] specific format. Definition: ( IANA-ASSIGNED-OID.4.8 NAME 'krbTicketFlags' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Used In: krbTicketPolicyAux Values: The allowed values are combination of one or more of the following values, DISALLOW_POSTDATED 0x00000001 DISALLOW_FORWARDABLE 0x00000002 DISALLOW_TGT_BASED 0x00000004 DISALLOW_RENEWABLE 0x00000008 DISALLOW_PROXIABLE 0x00000010 DISALLOW_DUP_SKEY 0x00000020 DISALLOW_ALL_TIX 0x00000040 REQUIRES_PRE_AUTH 0x00000080 REQUIRES_HW_AUTH 0x00000100 REQUIRES_PWCHANGE 0x00000200 DISALLOW_SVR 0x00001000 PWCHANGE_SERVICE 0x00002000 3.9 krbMaxTicketLife The maximum ticket lifetime for a principal in seconds is maintained in this attribute. The maximum ticket lifetime is programmatically calculated by choosing the minimum of requested ticket lifetime, service principal's maximum allowable lifetime and client principal's maximum allowable lifetime. Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 10] Internet-Draft Kerberos schema for LDAP August 2006 Definition: ( IANA-ASSIGNED-OID.4.9 NAME 'krbMaxTicketLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Used In: krbTicketPolicyAux Values: The value stored in this attribute should correctly reflect the number of seconds till which the ticket is valid. The value may need to be generated from a combination of weeks/days/hours/ minutes/seconds and the conversion of these needs to be made to seconds and stored in the attribute. 3.10 krbMaxRenewableAge The attribute denotes the maximum lifetime in seconds within which a principal can renew its ticket. The maximum renewable lifetime is programmatically calculated by choosing the minimum of requested lifetime, service principal's maximum renewable lifetime and client principal's maximum renewable lifetime. Definition: ( IANA-ASSIGNED-OID.4.10 NAME 'krbMaxRenewableAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Used In: krbTicketPolicyAux Values: The value stored in this attribute should correctly reflect the number of seconds till which the ticket can be renewed. The value may need to be generated from a combination of weeks/days/hours/ minutes/seconds and the conversion of these needs to be made to seconds and stored in the attribute. 3.11 krbRealmReferences This attribute stores the DNs of the Kerberos realm (krbRealmContainer) objects. This is a multivalued attribute and the Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 11] Internet-Draft Kerberos schema for LDAP August 2006 KDC, Administration and Password Services will service all the principals of the realms mentioned in this attribute. Definition ( IANA-ASSIGNED-OID.4.11 NAME 'krbRealmReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) Used In: krbService Values: DNs of valid Kerberos realm (krbRealmContainer) objects. 3.12 krbLdapServers This attribute stores a list of LDAP servers that the Kerberos servers can contact when servicing a realm. Definition: ( IANA-ASSIGNED-OID.4.12 NAME 'krbLdapServers' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) Used In: krbRealmContainer Values: This attribute holds the list of the DNS names or the IP addresses and the port of the LDAP servers that hosts a Kerberos data. The attribute holds data in the ldap uri format. Examples: ldap://acme.com:636, ldapi://164.164.164.164:1636 3.13 krbSubTrees This attribute holds the references (DNs) to sub tree entries under which principals and other Kerberos objects of a realm are placed. These sub tree containers are searched for that realm's principals based on the krbPrincipalName attribute. This attribute replaces the krbSubTree attribute which was present in the previous version of the draft. Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 12] Internet-Draft Kerberos schema for LDAP August 2006 Definition: ( IANA-ASSIGNED-OID.4.13 NAME 'krbSubTrees' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) Used In: krbRealmContainer Values: DNs of sub tree containers under which all the principals of the realm will exist. 3.14 krbKdcServers Holds a set of references to the KDC Service objects (DNs of the krbKdcService objects). Definition: ( IANA-ASSIGNED-OID.4.14 NAME 'krbKdcServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) Used In: krbRealmContainer Values: DNs of valid KDC Service objects. 3.15 krbAdmServers Holds a set of references to Administration Service objects (DNs of the krbAdmService objects). Definition: ( IANA-ASSIGNED-OID.4.15 NAME 'krbAdmServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) Used In: krbRealmContainer Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 13] Internet-Draft Kerberos schema for LDAP August 2006 Values: DN of valid Administration Service objects. 3.16 krbPwdServers Holds a set of references to Password Service objects (DNs of the krbPwdService objects). Definition: ( IANA-ASSIGNED-OID.4.16 NAME 'krbPwdServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) Used In: krbRealmContainer Values: DN of valid Password Service objects. 3.17 krbSupportedEncTypes This attribute stores the list of encryption types supported by a realm. The supported encryption types are mentioned in [RFC3961]. Definition: ( IANA-ASSIGNED-OID.4.17 NAME 'krbSupportedEncTypes' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27) Used In: krbRealmContainer Values: List of supported encryption types. 3.18 krbSupportedSaltTypes This attribute stores the list of salt types supported by a realm. Definition: ( IANA-ASSIGNED-OID.4.18 NAME 'krbSupportedSaltTypes' EQUALITY integerMatch Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 14] Internet-Draft Kerberos schema for LDAP August 2006 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27) Used In: krbRealmContainer Values: List of salt types supported by the Realm. The currently supported salt types are, NORMAL 0 V4 1 NOREALM 2 ONLYREALM 3 SPECIAL 4 AFS3 5 3.19 krbDefaultEncSaltTypes Holds the default encryption/salt type combinations of principals for the Realm. This attribute replaces the krbDefaultEncType and krbDefaultSaltType attributes which was present in the previous version of the draft. Definition: ( IANA-ASSIGNED-OID.4.19 NAME 'krbDefaultEncSaltTypes' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) Used In: krbRealmContainer Values: List of key:salt strings. Example: 1:0 (des-cbc-crc:normal) 3.20 krbHostServer This attribute stores the DNS name or the IP address of the server that hosts a Kerberos service (KDC or Administration or Password service), transport protocol and port at which the service runs. Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 15] Internet-Draft Kerberos schema for LDAP August 2006 Definition: ( IANA-ASSIGNED-OID.4.20 NAME 'krbHostServer' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) Used In: krbService Values: This attribute holds data in the following format, HostName-or- IPAddress#Protocol#Port Where,"#" is a delimiter and Protocol can be 0 or 1. 0 is for UDP. 1 is for TCP. Examples: acme.com#0#88, 164.164.164.164#1#1088 3.21 krbSearchScope This attribute specifies the LDAP search scope for searching the principals under sub trees specified by the attribute "krbSubTrees". Definition: ( IANA-ASSIGNED-OID.4.21 NAME 'krbSearchScope' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Used In: krbRealmContainer Values: ONE (1) or SUBTREE (2). 3.22 krbPrincNamingAttr This attribute specifies which attribute of the user objects be used as the principal name component for Kerberos. This is an alternate to "krbPrincipalName" attribute. Definition: ( IANA-ASSIGNED-OID.4.22 NAME 'krbPrincNamingAttr' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE) Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 16] Internet-Draft Kerberos schema for LDAP August 2006 Used In: krbRealmContainer Values: The value for this attribute can be configured by the administrators. Examples: cn, sn, uid, givenname, fullname, emailaddress. 3.23 krbMaxPwdLife This attribute specifies the maximum lifetime of a principal's password. Definition: ( IANA-ASSIGNED-OID.4.23 NAME 'krbMaxPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Used In: krbPwdPolicy Values: Maximum lifetime of a principal's password in seconds. 3.24 krbMinPwdLife This attribute specifies the minimum lifetime of a principal's password. Definition: ( IANA-ASSIGNED-OID.4.24 NAME 'krbMinPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Used In: krbPwdPolicy Values: Minimum lifetime of a principal's password in seconds. Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 17] Internet-Draft Kerberos schema for LDAP August 2006 3.25 krbPwdMinDiffChars This attribute specifies the minimum number of character classes allowed in a password. Definition: ( IANA-ASSIGNED-OID.4.25 NAME 'krbPwdMinDiffChars' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Used In: krbPwdPolicy Values: Minimum number of character classes allowed in a password. 3.26 krbPwdMinLength This attribute specifies the minimum length of the principal password. Definition: ( IANA-ASSIGNED-OID.4.26 NAME 'krbPwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Used In: krbPwdPolicy Values: Minimum length of the principal password. 3.27 krbPwdHistoryLength This attribute specifies the number of old keys that are stored for a principal. Definition: ( IANA-ASSIGNED-OID.4.27 NAME 'krbPwdHistoryLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 18] Internet-Draft Kerberos schema for LDAP August 2006 SINGLE-VALUE) Used In: krbPwdPolicy Values: Number of old keys that are stored for a principal. 3.28 krbPolicyRefCount This attribute specifies the number of principals that refer to this policy. Definition: ( IANA-ASSIGNED-OID.4.28 NAME 'krbPolicyRefCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Used In: krbTicketPolicy krbPwdPolicy Values: Number of principals that refer to this policy. 3.29 krbPwdPolicyReference This attribute stores the DN of a Kerberos password policy object. Definition: ( IANA-ASSIGNED-OID.4.29 NAME 'krbPwdPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE) Used In: krbPrincipalAux krbRealmContainer Values: DN of a valid Kerberos password policy object. Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 19] Internet-Draft Kerberos schema for LDAP August 2006 3.30 krbPwdHistory This attribute stores the principal's old keys encrypted with the kadmin/history key of the realm. As the principals can retain multiple versions of the keys based on krbPwdHistoryLength, this attribute is a multivalued attribute. Moreover, for each version, there may be multiple values corresponding to the key / salt type pair. Whenever a principal tries to change its password, the new key will be checked against this attribute to avoid setting the already used keys. When a principal's key is changed, the existing key will be added to this attribute and the oldest key (lowest key version number) will be removed when the number of old keys stored goes beyond krbPwdHistoryLength. Definition: ( IANA-ASSIGNED-OID.4.30 NAME 'krbPwdHistory' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) Used In: krbPrincipalAux Values: The attribute is ASN.1 encoded. The format of the value for this attribute is explained below, UInt16 ::= INTEGER (0..65535) Int32 ::= INTEGER (-2147483648..2147483647) UInt32 ::= INTEGER (0..4294967295) KrbKeySet ::= SEQUENCE { attribute-major-vno [0] UInt16, attribute-minor-vno [1] UInt16, kvno [2] UInt32, mkvno [3] UInt32 OPTIONAL -- can be kadmin/ history key --, keys [4] SEQUENCE OF KrbKey, } KrbKey ::= SEQUENCE { salt [0] KrbSalt OPTIONAL, key [1] EncryptionKey } Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 20] Internet-Draft Kerberos schema for LDAP August 2006 KrbSalt ::= SEQUENCE { type [0] Int32, salt [1] OCTET STRING } EncryptionKey ::= SEQUENCE { keytype [0] Int32, keyvalue [1] OCTET STRING } 3.31 krbLastPwdChange This attribute stores the time at which the principal's last password change happened. Definition: ( IANA-ASSIGNED-OID.4.31 NAME 'krbLastPwdChange' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) Used In: krbPrincipalAux Values: Principal's last password changed time. 3.32 krbMKey This attribute stores the master key of a realm which can be used to encrypt the principal keys. To protect the principal's keys, it can be encrypted with the master key and stored. This attribute has to be secured in the directory. Definition: ( IANA-ASSIGNED-OID.4.32 NAME 'krbMKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) Used In: krbRealmContainer Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 21] Internet-Draft Kerberos schema for LDAP August 2006 Values: The attribute is ASN.1 encoded. The format of the value for this attribute is explained below, Int32 ::= INTEGER (-2147483648..2147483647) UInt32 ::= INTEGER (0..4294967295) KrbMasterKey ::= SEQUENCE { kvno [0] UInt32, key [1] MasterKey } MasterKey ::= SEQUENCE { keytype [0] Int32, keyvalue [1] OCTET STRING } 3.33 krbPrincipalAliases This attribute holds all the alias principal names for the principal in the format as per the [RFC1964] specification. The attribute values have to be unique in the directory. Definition: ( IANA-ASSIGNED-OID.4.33 NAME 'krbPrincipalAliases' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) Used In: krbPrincipalAux Values: The set of allowed values for this attribute is based on the principal identifier format that is specified in the [RFC1964] section 2.1.1. A principal identifier consists of the principal name followed by the "@" symbol and then the realm name. This will store all the additional principal aliases of the primary principal. 3.34 krbLastSuccessfulAuth This attribute holds the time at which the principal's last successful authentication happened. Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 22] Internet-Draft Kerberos schema for LDAP August 2006 Definition: ( IANA-ASSIGNED-OID.4.34 NAME 'krbLastSuccessfulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) Used In: krbPrincipalAux Values: Principal's last successful authentication time. 3.35 krbLastFailedAuth This attribute holds the time at which the principal's last failed authentication happened. Definition: ( IANA-ASSIGNED-OID.4.35 NAME 'krbLastFailedAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) Used In: krbPrincipalAux Values: Principal's last failed authentication time. 3.36 krbLoginFailedCount This attribute stores the number of failed authentication attempts happened for the principal since the last successful authentication. For this, preauthentication for the principal has to be enabled. Definition: ( IANA-ASSIGNED-OID.4.36 NAME 'krbLoginFailedCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 23] Internet-Draft Kerberos schema for LDAP August 2006 Used In: krbPrincipalAux Values: Number of failed authentication attempts since the last successful authentication for the principal. 3.37 krbExtraData This attribute can be used to store the application specific data. Definition: ( IANA-ASSIGNED-OID.4.37 NAME 'krbExtraData' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) Used In: krbPrincipalAux Values: Any principal related values can be stored in this attribute and used by the application. 3.38 krbPrincipalReferences This attributes holds references to the set of Principal objects. This stores the DNs of the principal objects which belong to the same directory object. Definition ( IANA-ASSIGNED-OID.4.38 NAME 'krbPrincipalReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) Used In: krbPrincRefAux Values: DNs of valid Principal(krbPrincipal) objects. 3.39 krbObjectReferences This attribute holds references to the set of directory objects. Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 24] Internet-Draft Kerberos schema for LDAP August 2006 This stores the DNs of the directory objects to which the principal object belongs to. Definition ( IANA-ASSIGNED-OID.4.39 NAME 'krbObjectReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) Used In: krbPrincipal Values: DNs of valid directory objects. 3.40 krbPrincContainerRef Holds references to a Container object where the additional principal objects and stand alone principal objects (krbPrincipal) can be created. Definition ( IANA-ASSIGNED-OID.4.40 NAME 'krbPrincContainerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE) Used In: krbRealmContainer Values: DN of a valid Container object. The Container Object should be either part of one of the subtrees or the realm container itself. Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 25] Internet-Draft Kerberos schema for LDAP August 2006 4. Object Class Definitions As the OIDs for the object classes in this document have not been assigned, IANA-ASSIGNED-OID has been used as a placeholder until real OIDs are assigned. 4.1 krbContainer The krbContainer class defines a container object. This container contains only the realm objects. This is a container for all the realm container objects in a tree so that locating a realm is easy. Definition: ( IANA-ASSIGNED-OID.6.1 NAME 'krbContainer' SUP top STRUCTURAL MUST ( cn ) Naming Attribute: cn Containment: organization, organizationalunit, country, locality, domain 4.2 krbRealmContainer The krbRealmContainer object contains the realm name and related realm information for Kerberos authentication and administration servers to process requests. For each realm there exists only one realm container object. Definition: ( IANA-ASSIGNED-OID.6.2 NAME 'krbRealmContainer' SUP top STRUCTURAL MUST ( cn ) MAY ( krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbMKey $ krbLdapServers $ krbSupportedEncTypes $ krbSupportedSaltTypes $ krbDefaultEncSaltTypes $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $ krbTicketPolicyReference $ krbPwdPolicyReference $ krbPrincContainerRef )) Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 26] Internet-Draft Kerberos schema for LDAP August 2006 Naming Attribute: cn Containment: krbContainer 4.3 krbService krbService class is an abstract class and serves as a super class for krbKdcService, krbAdmService and krbPwdService. An instance of a class derived from krbService is created per Kerberos authentication or administration server or password server in a realm and holds the references to the realm objects. These references are used to further read realm specific data to service AS/TGS requests. Additionally this object contains some server specific data like pathnames and ports that the server uses. This is the identity the Kerberos server binds in with. krbKdcService and krbPwdService all derive from this class. Definition: ( IANA-ASSIGNED-OID.6.3 NAME 'krbService' SUP ( top ) ABSTRACT MUST ( cn ) MAY ( krbHostServer $ krbRealmReferences )) Naming Attribute: cn Containment: organization, organizationalunit, country, locality, domain, krbRealmContainer 4.4 krbKdcService Object of this class serves as the representative object for the KDC to bind into an LDAP directory and have a connection to access Kerberos data with the required access rights. krbKdcService class is derived from krbService class. Definition: ( IANA-ASSIGNED-OID.6.4 NAME 'krbKdcService' SUP ( krbService )) Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 27] Internet-Draft Kerberos schema for LDAP August 2006 STRUCTURAL 4.5 krbAdmService Object of this class serves as the representative object for the administration service to bind into an LDAP directory and have a connection to access Kerberos data with the required access rights. krbAdmService class is derived from krbService class. Definition: ( IANA-ASSIGNED-OID.6.5 NAME 'krbAdmService' SUP ( krbService )) STRUCTURAL 4.6 krbPwdService Object of this class serves as the representative object for the Kerberos change password server to bind into an LDAP directory and have a connection to access Kerberos data with the required access rights. krbPwdService class is derived from krbService class. Definition: ( IANA-ASSIGNED-OID.6.6 NAME 'krbPwdService' SUP ( krbService )) STRUCTURAL 4.7 krbTicketPolicyAux The krbTicketPolicyAux class holds ticket policy data that is relevant to a principal. This class is an auxiliary class as this can form a policy object or be associated with a Principal or krbRealmContainer. This class replaces the krbPolicyAux class which was present in the previous version of the draft. Definition: ( IANA-ASSIGNED-OID.6.7 NAME 'krbTicketPolicyAux' SUP top AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge )) Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 28] Internet-Draft Kerberos schema for LDAP August 2006 4.8 krbTicketPolicy Ticket Policy objects represent the effective ticket policy for Kerberos principals. Ticket policy objects can be associated with Principals. krbTicketPolicy objects can always be created with krbTicketPolicyAux. This class replaces the krbPolicy class which was present in the previous version of the draft. Definition: ( IANA-ASSIGNED-OID.6.8 NAME 'krbTicketPolicy' SUP ( top ) STRUCTURAL MUST ( cn ) MAY ( krbPolicyRefCount )) 4.9 krbPrincipalAux The principal auxiliary class contains attributes that are used to store principal related data. This class is defined as an auxiliary class so that other class of objects (Person, krbPrincipal, etc) can extend their class definitions to add principal data. Definition: ( IANA-ASSIGNED-OID.6.9 NAME 'krbPrincipalAux' SUP top AUXILIARY MAY ( krbPrincipalName $ krbPrincipalType $ krbPrincipalKey $ krbPasswordExpiration $ krbUPEnabled $ krbPrincipalExpiration $ krbTicketPolicyReference $ krbPwdPolicyReference $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData )) 4.10 krbPrincipal The krbPrincipal class is used to create additional principals and stand alone principals. krbPrincipal objects will be created with krbPrincipalAux and optionally with krbTicketPolicyAux. Definition: ( IANA-ASSIGNED-OID.6.10 NAME 'krbPrincipal' SUP ( top ) Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 29] Internet-Draft Kerberos schema for LDAP August 2006 STRUCTURAL MUST ( krbPrincipalName ) MAY ( krbObjectReferences )) Naming Attribute: krbPrincipalName Containment: organization, organizationalunit, country, locality, domain, krbRealmContainer 4.11 krbPwdPolicy The krbPwdPolicy object is a template password policy that can be applied to principals when they are created. These policy attributes will be in effect, when the Kerberos passwords are different from directory passwords. Definition: ( IANA-ASSIGNED-OID.6.11 NAME 'krbPwdPolicy' SUP ( top ) STRUCTURAL MUST ( cn ) MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPolicyRefCount )) 4.12 krbPrincRefAux This class contains attribute that is used to store the reference between the directory object and Principal objects. If a separate principal object is created for any directory identity, then the reference can be maintained in the directory object using this auxiliary class. Definition: ( IANA-ASSIGNED-OID.6.12 NAME 'krbPrincRefAux' SUP top AUXILIARY MAY (krbPrincipalReferences )) Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 30] Internet-Draft Kerberos schema for LDAP August 2006 5. IANA Considerations Refer to RFC 3383, "Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)" [RFC3383]. 5.1 Object Identifier Registration It is requested that the IANA register upon Informational Action an LDAP Object Identifier for use in this technical specification according to the following template: Subject: Request for LDAP OID Registration Person & email address to contact for further information: Rajasekaran Nagarajan (rnagarajan@novell.com) K.G.Gokulavasan (kgokulavasan@novell.com) Specification: RFC XXXX Author/Change Controller: IESG Comments: The assigned OID will be used as a base for identifying a number of Kerberos schema elements defined in this document. 5.2 Object Identifier Descriptors It is requested that the IANA register upon Informational Action the LDAP Descriptors used in this technical specification as detailed in the following template: Subject: Request for LDAP Descriptor Registration Update Descriptor (short name): see table Object Identifier: see table Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 31] Internet-Draft Kerberos schema for LDAP August 2006 Person & email address to contact for further information: Rajasekaran Nagarajan (rnagarajan@novell.com) K.G.Gokulavasan (kgokulavasan@novell.com) Usage: see table Specification: RFC XXXX Author/Change Controller: IESG Table: The following descriptors have been added: NAME Type OID -------------- ---- ------------ krbPrincipalName A IANA-ASSIGNED-OID.4.1 krbPrincipalType A IANA-ASSIGNED-OID.4.2 krbPrincipalKey A IANA-ASSIGNED-OID.4.3 krbPasswordExpiration A IANA-ASSIGNED-OID.4.4 krbUPEnabled A IANA-ASSIGNED-OID.4.5 krbPrincipalExpiration A IANA-ASSIGNED-OID.4.6 krbTicketPolicyReference A IANA-ASSIGNED-OID.4.7 krbTicketFlags A IANA-ASSIGNED-OID.4.8 krbMaxTicketLife A IANA-ASSIGNED-OID.4.9 krbMaxRenewableAge A IANA-ASSIGNED-OID.4.10 krbRealmReferences A IANA-ASSIGNED-OID.4.11 krbLdapServers A IANA-ASSIGNED-OID.4.12 krbSubTrees A IANA-ASSIGNED-OID.4.13 krbKdcServers A IANA-ASSIGNED-OID.4.14 krbAdmServers A IANA-ASSIGNED-OID.4.15 krbPwdServers A IANA-ASSIGNED-OID.4.16 krbSupportedEncTypes A IANA-ASSIGNED-OID.4.17 krbSupportedSaltTypes A IANA-ASSIGNED-OID.4.18 krbDefaultEncSaltTypes A IANA-ASSIGNED-OID.4.19 krbHostServer A IANA-ASSIGNED-OID.4.20 krbSearchScope A IANA-ASSIGNED-OID.4.21 krbPrincNamingAttr A IANA-ASSIGNED-OID.4.22 krbMaxPwdLife A IANA-ASSIGNED-OID.4.23 krbMinPwdLife A IANA-ASSIGNED-OID.4.24 krbPwdMinDiffChars A IANA-ASSIGNED-OID.4.25 krbPwdMinLength A IANA-ASSIGNED-OID.4.26 krbPwdHistoryLength A IANA-ASSIGNED-OID.4.27 krbPolicyRefCount A IANA-ASSIGNED-OID.4.28 krbPwdPolicyReference A IANA-ASSIGNED-OID.4.29 krbPwdHistory A IANA-ASSIGNED-OID.4.30 Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 32] Internet-Draft Kerberos schema for LDAP August 2006 krbLastPwdChange A IANA-ASSIGNED-OID.4.31 krbMKey A IANA-ASSIGNED-OID.4.32 krbPrincipalAliases A IANA-ASSIGNED-OID.4.33 krbLastSuccessfulAuth A IANA-ASSIGNED-OID.4.34 krbLastFailedAuth A IANA-ASSIGNED-OID.4.35 krbLoginFailedCount A IANA-ASSIGNED-OID.4.36 krbExtraData A IANA-ASSIGNED-OID.4.37 krbPrincipalReferences A IANA-ASSIGNED-OID.4.38 krbObjectReferences A IANA-ASSIGNED-OID.4.39 krbPrincContainerRef A IANA-ASSIGNED-OID.4.40 krbContainer O IANA-ASSIGNED-OID.6.1 krbRealmContainer O IANA-ASSIGNED-OID.6.2 krbService O IANA-ASSIGNED-OID.6.3 krbKdcService O IANA-ASSIGNED-OID.6.4 krbAdmService O IANA-ASSIGNED-OID.6.5 krbPwdService O IANA-ASSIGNED-OID.6.6 krbTicketPolicyAux O IANA-ASSIGNED-OID.6.7 krbTicketPolicy O IANA-ASSIGNED-OID.6.8 krbPrincipalAux O IANA-ASSIGNED-OID.6.9 krbPrincipal O IANA-ASSIGNED-OID.6.10 krbPwdPolicy O IANA-ASSIGNED-OID.6.11 krbPrincRefAux O IANA-ASSIGNED-OID.6.12 where Type A is Attribute, Type O is ObjectClass Upon Informational Action these assignments will be recorded in the following registry: http://www.iana.org/assignments/ldap-parameters Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 33] Internet-Draft Kerberos schema for LDAP August 2006 6. Security Considerations The storage of Kerberos data in an LDAP directory enables the examination of the data outside the environment in which it is supposed to be created and used. The Kerberos 5 protocol relies on the security of the keys stored in the KDC database. Hence the Kerberos data in the directory must be protected both while the storage and transmission. This document assumes that the channel over which the keys are accessed from the directory MUST be secured and the updates to these keys are to be restricted with a well defined administrative interfaces. The data stored in the directory MUST be protected with appropriate access rights using the access control mechanisms of the directory. Access control mechanisms are beyond the scope of this document. Moreover, if the data is replicated over multiple directory instances, the replication channel MUST also be secured. 7. References [RFC1964] John Linn, "The Kerberos Version 5 GSS-API Mechanism", RFC 1964, June 1996. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3383] Kurt D. Zeilenga, "Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)", RFC 3383, September 2002. [RFC3961] Kenneth Raeburn, "Encryption and Checksum Specifications for Kerberos 5", RFC 3961, February 2005. [RFC4120] Clifford Neuman, Tom Yu, Sam Hartman, and Kenneth Raeburn, "The Kerberos Network Authentication Service (V5)", RFC 4120, July 2005. [draft-ietf-krb-wg-kerberos-referrals-07] Kenneth Raeburn, Larry Zhu, and Karthik Jaganathan, "Generating KDC Referrals to Locate Kerberos Realms", ID draft-ietf-krb-wg-kerberos-referrals-07, March 2006. [draft-johansson-kerberos-model-02] Leif Johansson, "An information model for Kerberos version 5", ID draft-johansson-kerberos-model-01, July 2004. [draft-skibbie-krb-kdc-ldap-schema-02] Donna Skibbie, Jonathan Trostle, and John Griffith, "Kerberos KDC LDAP Schema", Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 34] Internet-Draft Kerberos schema for LDAP August 2006 ID draft-skibbie-krb-kdc-ldap-schema-02, May 2002. Authors' Addresses Rajasekaran Nagarajan Novell, Inc. 49/1 and 49/3 Garvebhavipalya 7th Mile, Hosur Road Bangalore, Karnataka 560068 IN Phone: +91 80 25731856 Email: rnagarajan@novell.com K.G.Gokulavasan Novell, Inc. 49/1 and 49/3 Garvebhavipalya 7th Mile, Hosur Road Bangalore, Karnataka 560068 IN Phone: +91 80 25731856 Email: kgokulavasan@novell.com Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 35] Internet-Draft Kerberos schema for LDAP August 2006 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Rajasekaran Nagarajan & K.G.Gokulavasan Expires February 4, 2007 [Page 36]