Creating a Kerberos user principal using LDAP

Dax Kelson dkelson at
Thu Mar 5 19:03:12 EST 2009

Given a KDC using the LDAP backend, has anyone created a stand alone
tool to create user principals by directly adding a LDAP entry?

Apparently the difficultly is correctly creating the ASN.1 encoded key
attribute (krbPrincipalkey) which is harder still because of the need to
encrypt it using the master key (krbMKey).

In the LDAP world, it isn't unusual that the password attribute value is
generated with a special tool (unless the plaintext password is used).

I think two tools would be interesting. 

1. A tool that only spits out the krbPrincipalkey attribute on STDOUT.

2. A tool that creates the whole user principal including the

More specifically, I would like some perl or python code that I include
in a larger project.

If either tools has not been created, there is code from the FreeIPA
project, inside ipa_pwd_extop.c (see that
fetches the master key and properly create the ASN.1 encoded key. That
code could be used as a starting point or inspiration.

Dax Kelson
Guru Labs

More information about the Kerberos mailing list