more ldap concerns

Praveenkumar Sahukar psahukar at novell.com
Fri Jun 2 07:26:00 EDT 2006 

>>> On Fri, Jun 2, 2006 at  7:27 AM, in message
<20060602015713.GB4031 at sun.com>,
Will Fiveash <William.Fiveash at sun.com> wrote: 

> While trying to setup a LDAP directory for KDB use I ran
> 
> kdb5_ldap_util - D "cn=directory manager" create
> 
> I see:
> 
> Default enctype not specified: "des3- cbc- sha1" will be added as the
default 
> enctype and to the list of supported enctypes.
> 
> This appears to be hard coded in kdb5_ldap_create():
> 
>     if ( !(mask & LDAP_REALM_DEFENCTYPE) && (rparams != NULL)) {
>     rparams- >defenctype = ENCTYPE_DES3_CBC_SHA1;
>     mask |= LDAP_REALM_DEFENCTYPE;
>     printf("Default enctype not specified: \"des3- cbc- sha1\" "
>         "will be added as the default enctype and to the "
>         "list of supported enctypes.\n");
> 
> How is this realm object attribute (krbDefaultEncType) being used? 
And
> why ENCTYPE_DES3_CBC_SHA1?

If supported_enctypes is not defined in kdc.conf, the
"des3-hmac-sha1:normal des-cbc-crc:normal" combination is used as the
code default. The krbDefaultEncType attribute value is present to
override this code default value. 

ENCTYPE_DES3_CBC_SHA1 is assumed as the default since this is the code
default too. 

> 
>
=======================================================================
> 
> Second I see (in src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c):
> 
> int supportedenctypes[] = { ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD4,

> ENCTYPE_DES_CBC_MD5,
>                             ENCTYPE_DES3_CBC_SHA1, 
> ENCTYPE_AES128_CTS_HMAC_SHA1_96,
>                             ENCTYPE_AES256_CTS_HMAC_SHA1_96, 
> ENCTYPE_ARCFOUR_HMAC, - 1};
> 
> int supportedsalttypes[] = { KRB5_KDB_SALTTYPE_NORMAL,
KRB5_KDB_SALTTYPE_V4,
>                              KRB5_KDB_SALTTYPE_NOREALM, 
> KRB5_KDB_SALTTYPE_ONLYREALM,
>                              KRB5_KDB_SALTTYPE_SPECIAL, - 1};
> 
> Do we really want more hard coded lists of supported enc/salt types?
> Note, these valures are being stored in the realm container objects
via
> kdb5_ldap_util create.  What happens if the KDC is modified to
support
> more enctypes?  Does this mean the realm container must be updated?

Yes this will lead to additional configuration steps to the realm
container. We will change the code to derive the lists from the krb5
library. 

-Praveen

More information about the krbdev mailing list