Version 1 draft of LDAP Kerberos schema
Andrew Bartlett
abartlet at samba.org
Thu Aug 3 20:29:19 EDT 2006
On Thu, 2006-08-03 at 05:55 -0600, K.G. Gokulavasan wrote:
> Hi,
> I have posted the Version 1 draft of LDAP Kerberos schema on the
> kdc-info list and kdc-schema list. Please go through it and provide
> your comments.
My first comment is that the key storage is much improved, but I wonder:
it seems so close, would it possible to use the heimdal krb5Key
schema?
Key ::= SEQUENCE {
mkvno[0] INTEGER (0..4294967295) OPTIONAL, -- master key version number
key[1] EncryptionKey,
salt[2] Salt OPTIONAL
}
EncryptionKey ::= SEQUENCE {
keytype[0] krb5int32,
keyvalue[1] OCTET STRING
}
In a very selfish example, It would mean that when I try to get Samba4
and MIT's KDC to mix, I can continue to use that as my internal
format.
But outside that, it would make it much easier for administrators to
migrate existing LDAP setups between the current Heimdal schema and the
new MIT KDC implementation, as most other attributes are simple
translations, rather than requiring an ASN.1 encode/decode step.
(There are other attributes, such as the flags, which I would like to
see lined up, but this would be the most useful to me as an admin).
At the very least, why isn't this a multi-vauled attribute, rather than
a sequence in a single binary blob?
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20060804/fa0d26ec/attachment.bin
More information about the krbdev
mailing list