[Kerberos] FYI, draft Kerberos schema

[Enrique Rodriguez <en...@gmail.com>]

Hi, Directory developers,

FYI, I want to make you aware of an IETF draft "for storing Kerberos
version 5 information in LDAP directories." [1]  I just thought of
this because portions of this schema overlap the LDAP password policy
draft [2].  After the recent encryption types and password policy
work, we have maxed-out our current Kerberos schema.

Who knows if/when this draft will become an RFC, but it is well
thought out and reviewed and I'd like to start using portions of it
for features we already support.  The OID's aren't defined, but we
could use our own.  The OID's are easy to change later but wiring up
the protocols to the schema will be a bit of work.  Any thoughts on
whether we can/should adopt a draft?

I pinged the Novell authors, since the author of [2] is also at
Novell, so maybe there's no need for the overlap in password policy
and I was curious if they had any thoughts on licensing.

Enrique

[1] http://mailman.mit.edu/pipermail/kdc-schema/attachments/20060803/caceb865/draft-rajasekaran-kerberos-ldap-schema-01-0001.txt

[2] http://tools.ietf.org/html/draft-behera-ldap-password-policy-09

Re: [Kerberos] FYI, draft Kerberos schema

[Alex Karasulu <ak...@apache.org>]

Thanks for keeping us up to date with this.  BTW Ersin has some contacts
over at
Novell regarding the password policy draft.  I think he may even have edit
access
to the draft over at Novell.

Alex

On 5/10/07, Enrique Rodriguez <en...@gmail.com> wrote:
>
> Hi, Directory developers,
>
> FYI, I want to make you aware of an IETF draft "for storing Kerberos
> version 5 information in LDAP directories." [1]  I just thought of
> this because portions of this schema overlap the LDAP password policy
> draft [2].  After the recent encryption types and password policy
> work, we have maxed-out our current Kerberos schema.
>
> Who knows if/when this draft will become an RFC, but it is well
> thought out and reviewed and I'd like to start using portions of it
> for features we already support.  The OID's aren't defined, but we
> could use our own.  The OID's are easy to change later but wiring up
> the protocols to the schema will be a bit of work.  Any thoughts on
> whether we can/should adopt a draft?
>
> I pinged the Novell authors, since the author of [2] is also at
> Novell, so maybe there's no need for the overlap in password policy
> and I was curious if they had any thoughts on licensing.
>
> Enrique
>
> [1]
> http://mailman.mit.edu/pipermail/kdc-schema/attachments/20060803/caceb865/draft-rajasekaran-kerberos-ldap-schema-01-0001.txt
>
> [2] http://tools.ietf.org/html/draft-behera-ldap-password-policy-09
>

Re: [Kerberos] FYI, draft Kerberos schema

[Enrique Rodriguez <en...@gmail.com>]

On 5/10/07, Enrique Rodriguez <en...@gmail.com> wrote:
> ...
> I pinged the Novell authors, since the author of [2] is also at
> Novell, so maybe there's no need for the overlap in password policy
> and I was curious if they had any thoughts on licensing.

I found another issue with the Kerberos schema [1].  They don't store
the time at which keys were created.  When a key is exported from a
store to a keytab file, eg for use on a service host, the keytab entry
for each key has a timestamp field representing the time at which the
key was created.  I couldn't see how to determine the time at which a
key is created from the proposed schema, so I reported this to the
authors at Novell.

There is a 'krbLastPwdChange' which one could assume is the time the
keys were created, but this would only apply to keys derived from
passwords.  The semantics would be wrong for random keys generated for
a service host.

Enrique

[1] http://mailman.mit.edu/pipermail/kdc-schema/attachments/20060803/caceb865/draft-rajasekaran-kerberos-ldap-schema-01-0001.txt

[2] http://tools.ietf.org/html/draft-behera-ldap-password-policy-09