You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Kai Zheng (JIRA)" <ji...@apache.org> on 2015/11/19 14:33:11 UTC
[jira] [Commented] (DIRKRB-458) Update KrbOptions to include all
KDC Option flags
[ https://issues.apache.org/jira/browse/DIRKRB-458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15013540#comment-15013540 ]
Kai Zheng commented on DIRKRB-458:
----------------------------------
Hi Steve,
Thanks for this well documented proposal!
bq. it simply treats the absence of a flag as a false...I'd like to propose that the KrbOption enum be updated to include all fifteen of the KDC Option flags, and that the "negatives" of those flags be removed.
It sounds reasonable. Then *KrbClient* will be able to have enhancements to set such flags when adding to support more APIs.
> Update KrbOptions to include all KDC Option flags
> -------------------------------------------------
>
> Key: DIRKRB-458
> URL: https://issues.apache.org/jira/browse/DIRKRB-458
> Project: Directory Kerberos
> Issue Type: Bug
> Reporter: Steve Moyer
> Assignee: Steve Moyer
>
> When creating a client request, one uses the KrbOptions to specify many aspects of the AsRequest. Most of the methods that retrieve tickets from the Kerberos server are simply for convenient - all the packets are structured in a similar way underneath.
> The KDC Options are collection of fifteen boolean flags that are spread out in a 32 bit field. Currently, not all the KDC Option flags are represented in the KrbOption enum but those that are have the following structure:
> {code}
> FORWARDABLE("forwardable"),
> NOT_FORWARDABLE("not forwardable"),
> PROXIABLE("proxiable"),
> NOT_PROXIABLE("not proxiable"),
> {code}
> The code I submitted as a resolution to DIRKRB-450 doesn't actually use the "NOT" flags (e.g. NOT_FORWARDABLE or NOT_PROXIABLE), it simply treats the absence of a flag as a false. The changes made to manage the KDC Options bitmap in DIRKRB-449 allow the bitmap to be expressed as an integer, and the code included in DIRKRB-450 effectively builds that integer by logical-or'ing these flags together (e.g. FORWARDABLE | PROXIABLE | RENEWABLE_OK).
> I'd like to propose that the KrbOption enum be updated to include all fifteen of the KDC Option flags, and that the "negatives" of those flags be removed. For reference, the complete list of KDC Options is:
> - Forwardable
> - Forwarded
> - Proxiable
> - Proxy
> - Allow Postdate
> - Postdated
> - Renewable
> - Opt HW Auth
> - Constrained Delegation
> - Canonicalize
> - Disable
> - Renewable OK
> - Enc-Tkt-in-Skey
> - Renew
> - Validate
> I've pushed the change to KrbOption for RENEWABLE_OK we discussed on the mailing list to GitHub (https://github.com/PennState/directory-kerby/blob/master/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbOption.java) but I think this is a better long-term solution to managing the KDC Options.
> I'd be happy to reedit the KrbOption file to make these changes - assign this issue to me if it makes sense in the grand scheme of things.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)