Version 1 draft of LDAP Kerberos schema

Andrew Bartlett abartlet at
Thu Aug 3 20:29:19 EDT 2006

On Thu, 2006-08-03 at 05:55 -0600, K.G. Gokulavasan wrote:
> Hi,
>   I have posted the Version 1 draft of LDAP Kerberos schema on the
> kdc-info list and  kdc-schema list. Please go through it and provide
> your comments.

My first comment is that the key storage is much improved, but I wonder:
it seems so close, would it possible to use the heimdal krb5Key

Key ::= SEQUENCE {
	mkvno[0]	INTEGER (0..4294967295) OPTIONAL, -- master key version number
	key[1]		EncryptionKey,
	salt[2]		Salt OPTIONAL

EncryptionKey ::= SEQUENCE {
	keytype[0]		krb5int32,
	keyvalue[1]		OCTET STRING

In a very selfish example, It would mean that when I try to get Samba4
and MIT's KDC to mix, I can continue to use that as my internal

But outside that, it would make it much easier for administrators to
migrate existing LDAP setups between the current Heimdal schema and the
new MIT KDC implementation, as most other attributes are simple
translations, rather than requiring an ASN.1 encode/decode step.  

(There are other attributes, such as the flags, which I would like to
see lined up, but this would be the most useful to me as an admin).

At the very least, why isn't this a multi-vauled attribute, rather than
a sequence in a single binary blob?

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.        
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the krbdev mailing list