more ldap concerns

Thu Jun 1 21:57:13 EDT 2006

While trying to setup a LDAP directory for KDB use I ran

kdb5_ldap_util -D "cn=directory manager" create

I see:

Default enctype not specified: "des3-cbc-sha1" will be added as the default enctype and to the list of supported enctypes.

This appears to be hard coded in kdb5_ldap_create():

    if ( !(mask & LDAP_REALM_DEFENCTYPE) && (rparams != NULL)) {
    rparams->defenctype = ENCTYPE_DES3_CBC_SHA1;
    mask |= LDAP_REALM_DEFENCTYPE;
    printf("Default enctype not specified: \"des3-cbc-sha1\" "
        "will be added as the default enctype and to the "
        "list of supported enctypes.\n");

How is this realm object attribute (krbDefaultEncType) being used?  And
why ENCTYPE_DES3_CBC_SHA1?

=======================================================================

Second I see (in src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c):

int supportedenctypes[] = { ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD4, ENCTYPE_DES_CBC_MD5,
                            ENCTYPE_DES3_CBC_SHA1, ENCTYPE_AES128_CTS_HMAC_SHA1_96,
                            ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_ARCFOUR_HMAC, -1};

int supportedsalttypes[] = { KRB5_KDB_SALTTYPE_NORMAL, KRB5_KDB_SALTTYPE_V4,
                             KRB5_KDB_SALTTYPE_NOREALM, KRB5_KDB_SALTTYPE_ONLYREALM,
                             KRB5_KDB_SALTTYPE_SPECIAL, -1};

Do we really want more hard coded lists of supported enc/salt types?
Note, these valures are being stored in the realm container objects via
kdb5_ldap_util create.  What happens if the KDC is modified to support
more enctypes?  Does this mean the realm container must be updated?

-- 
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)