Version 1 draft of LDAP Kerberos schema

gokul kgokulavasan at
Fri Aug 4 08:46:16 EDT 2006

On Fri, 2006-08-04 at 10:29 +1000, Andrew Bartlett wrote:
> On Thu, 2006-08-03 at 05:55 -0600, K.G. Gokulavasan wrote:
> > Hi,
> >   I have posted the Version 1 draft of LDAP Kerberos schema on the
> > kdc-info list and  kdc-schema list. Please go through it and provide
> > your comments.
> My first comment is that the key storage is much improved, but I wonder:
> it seems so close, would it possible to use the heimdal krb5Key
> schema?   
> Key ::= SEQUENCE {
> 	mkvno[0]	INTEGER (0..4294967295) OPTIONAL, -- master key version number
> 	key[1]		EncryptionKey,
> 	salt[2]		Salt OPTIONAL
> }
> EncryptionKey ::= SEQUENCE {
> 	keytype[0]		krb5int32,
> 	keyvalue[1]		OCTET STRING
> }
> In a very selfish example, It would mean that when I try to get Samba4
> and MIT's KDC to mix, I can continue to use that as my internal
> format.  
> But outside that, it would make it much easier for administrators to
> migrate existing LDAP setups between the current Heimdal schema and the
> new MIT KDC implementation, as most other attributes are simple
> translations, rather than requiring an ASN.1 encode/decode step.  
> (There are other attributes, such as the flags, which I would like to
> see lined up, but this would be the most useful to me as an admin).
> At the very least, why isn't this a multi-vauled attribute, rather than
> a sequence in a single binary blob?

The key (krbPrincipalKey) is multivalued. But each value will contain
all the keys of a particular key version. In MIT implementation, while
changing password (cpw) , "keepold" option can be used and the old keys
can be retained. In that case, those keys can be stored in the other
values. In heimdal schema, key version (krb5KeyVersionNumber) is a
separate single valued attribute and I think only one version of keys
can be stored at a time. Does heimdal supports retaining old keys?


More information about the krbdev mailing list