Storing Master Key in LDAP

Simo Sorce ssorce at
Wed Jan 29 19:08:07 EST 2014

----- Original Message -----
> On 01/29/2014 06:30 AM, Rachit Raj wrote:
> > The LDAP schema for Kerberos has attribute krbmkey to store master key. I
> > could not find any way to store master key into this attribute. Is their
> > any way to migrate master key from stash file to LDAP?
> We don't use that schema attribute; it may be there for Novell
> eDirectory or it may not be used by anything.  Storing the master key in
> LDAP would seem to defeat the purpose of having a master key at all.

We use it in FreeIPA, but probably not in the way that Novell used it as I
could not find a reference at the time.

I also have to disagree on the "defeat the purpose" part.

Although KrbPrincipalKey attributes should be kept private, the master key is
an additional line of defense should the attribute of some users be leaked as
long as the master key is not leaked.

And this is more common than it may be thought, as sometimes admins do searches
against the directory as the "Directory Manager" user (which has full access to
read the attribute), and may stick these searches in bug reports or other log files.

When keys are encrypted with a master key these kind of "leaks" are less concerning.


Simo Sorce * Red Hat, Inc. * New York

More information about the krbdev mailing list