ldap_service_password_file format question
Praveen Kumar Sahukar
psahukar at novell.com
Fri Jun 9 14:04:15 EDT 2006
On Tue, 2006-06-06 at 12:42 -0500, Will Fiveash wrote:
> On Tue, Jun 06, 2006 at 05:43:43AM -0600, Savitha R wrote:
> > The format is:
> >
> > ObjectDN#{encformat}encstring
> >
> > ObjectDN: DN of the object for which the password is stashed.
> > encformat: Format in which the password is stored. Currently only
> > hexadecimal{HEX} is supported. The password is converted to hex and
> > stored.
> > For certificate based authentication the format will be {FILE}. For
> > now, it works based on the entries in the ldaprc file and does not
> > require encstring.
> > encstring: encoded password string.
>
> Thanks for the info. What I just discovered is that "kdb5_ldap_util
> stashsrvpw" is the utility that creates these entries. It creates an
> entry in the ldap_service_password_file like:
>
> cn=kdc service#{HEX}7465737431323334
>
> Why not encrypt these passwords with the master key then convert to hex?
The idea is that the Kerberos service object can administer more than
one realm in which case it will not be possible to encrypt with the
master key as the master key for different realms is different. We had
actually considered using the host specific key from SSL, but assumed
that there would licensing issues.
-Praveen
More information about the krbdev
mailing list