need advice on how to deal with KADM5_POLICY attribute

Will Fiveash William.Fiveash at Sun.COM
Sun Sep 24 20:31:00 EDT 2006

I'm close to getting the "kdb5_util load" command to work with the LDAP
KDB plugin however I'm having some difficulty understanding how to deal
with princ. records that have a policy reference.  Note that I
have modified the dump.c:process_k5beta6_record() function to set the
dbentry.mask so the krb5_ldap_put_principal() will properly create the
princ attributes when putting the princ entry to the directory.  For

        if (nread == 8) {
            dbentry.attributes = (krb5_flags) t2;
            dbentry.max_life = (krb5_deltat) t3;
            dbentry.max_renewable_life = (krb5_deltat) t4;
            dbentry.expiration = (krb5_timestamp) t5;
            dbentry.pw_expiration = (krb5_timestamp) t6;
            dbentry.last_success = (krb5_timestamp) t7;
            dbentry.last_failed = (krb5_timestamp) t8;
            dbentry.fail_auth_count = (krb5_kvno) t9;
            dbentry.mask = KADM5_PRINCIPAL | KADM5_ATTRIBUTES |

What I'm confused about is how to determine when the KADM5_POLICY mask
field should be set so that krb5_ldap_put_principal() will do the right
thing.  I think the policy reference is in the tl_data if it exists but
I am unsure as to the best way to detect this.  I'm assuming that in the
process_k5beta6_record() where it does:

        if (!error && dbentry.n_tl_data) {
            for (tl = dbentry.tl_data; tl; tl = tl->tl_data_next) {
            nread = fscanf(filep, "%d\t%d\t", &t1, &t2);
            if (nread == 2) {
                tl->tl_data_type = (krb5_int16) t1;
                if (t1 == KRB5_TL_KADM_DATA) {
                     * XXX How to determine when to dbentry.mask |= KADM5_POLICY?

that the tl_data_type would be tested to see if it contains
KRB5_TL_KADM_DATA and the data would be checked to see if it contained a
policy but this is conjecture on my part.

Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the krbdev mailing list