You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Steve Moyer (JIRA)" <ji...@apache.org> on 2015/11/19 14:04:11 UTC
[jira] [Created] (DIRKRB-458) Update KrbOptions to include all KDC
Option flags
Steve Moyer created DIRKRB-458:
----------------------------------
Summary: Update KrbOptions to include all KDC Option flags
Key: DIRKRB-458
URL: https://issues.apache.org/jira/browse/DIRKRB-458
Project: Directory Kerberos
Issue Type: Bug
Reporter: Steve Moyer
When creating a client request, one uses the KrbOptions to specify many aspects of the AsRequest. Most of the methods that retrieve tickets from the Kerberos server are simply for convenient - all the packets are structured in a similar way underneath.
The KDC Options are collection of fifteen boolean flags that are spread out in a 32 bit field. Currently, not all the KDC Option flags are represented in the KrbOption enum but those that are have the following structure:
{code}
FORWARDABLE("forwardable"),
NOT_FORWARDABLE("not forwardable"),
PROXIABLE("proxiable"),
NOT_PROXIABLE("not proxiable"),
{code}
The code I submitted as a resolution to DIRKRB-450 doesn't actually use the "NOT" flags (e.g. NOT_FORWARDABLE or NOT_PROXIABLE), it simply treats the absence of a flag as a false. The changes made to manage the KDC Options bitmap in DIRKRB-449 allow the bitmap to be expressed as an integer, and the code included in DIRKRB-450 effectively builds that integer by logical-or'ing these flags together (e.g. FORWARDABLE | PROXIABLE | RENEWABLE_OK).
I'd like to propose that the KrbOption enum be updated to include all fifteen of the KDC Option flags, and that the "negatives" of those flags be removed. For reference, the complete list of KDC Options is:
- Forwardable
- Forwarded
- Proxiable
- Proxy
- Allow Postdate
- Postdated
- Renewable
- Opt HW Auth
- Constrained Delegation
- Canonicalize
- Disable
- Renewable OK
- Enc-Tkt-in-Skey
- Renew
- Validate
I've pushed the change to KrbOption for RENEWABLE_OK we discussed on the mailing list to GitHub (https://github.com/PennState/directory-kerby/blob/master/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbOption.java) but I think this is a better long-term solution to managing the KDC Options.
I'd be happy to reedit the KrbOption file to make these changes - assign this issue to me if it makes sense in the grand scheme of things.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)