Special Characters in Principal Names
Bram Cymet
bcymet at cbnco.com
Tue Aug 6 08:44:05 EDT 2013
Hi,
Thanks for the detailed answer.
If I were to change the kerberos schema would things explode?
Bram
On 2013-08-05 2:21 PM, Greg Hudson wrote:
> On 08/02/2013 12:46 PM, Bram Cymet wrote:
>> I am wondering if it is possible to have special characters in principle
>> names? For example áharuchio at TEST.LS.CBN.
>
> Sort of.
>
> The Kerberos 5 protocol officially restricts principal names to ASCII
> characters, mainly because the ASN.1 type used to communicate principal
> components is GeneralString, which can't hold UTF-8 values.
>
> In reality, implementations of Kerberos do not check this; they accept
> any octet values in principal names on the wire. As a result, people
> put various kinds of non-ASCII values there. Sites with Active
> Directory in the mix tend to use UTF-8, but other sites reportedly use
> different encodings. This situation is pretty hard to disentangle, so
> our implementation currently doesn't make very many assumptions about
> octet values in principal names.
>
> A notable exception is the LDAP KDB module. The Kerberos schema defines
> the krbPrincipalName attribute as having syntax
> IA5 String (1.3.6.1.4.1.1466.115.121.1.26), which restricts the value to
> ASCII characters. This is what blocks you from using accented
> characters in your deployment.
>
> I don't know of a good workaround for you which doesn't involved
> switching KDB modules. My understanding is that FreeIPA has its own
> LDAP KDB module (with a different schema from ours) which might not have
> this restriction, but I don't have direct experience with it.
>
--
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
613-608-9752
More information about the Kerberos
mailing list