You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by Emmanuel Lecharny <el...@apache.org> on 2007/06/20 21:13:26 UTC

Kerberos Kadmin GUI

Hi guys,

IBM has recently released (27/4/2007) a Kerberos KAdmin GUI, a SWT 
implementation :
http://www.alphaworks.ibm.com/tech/nasgui

It seems to be an interesting tool, and I'm thinking we should have such 
a GUI in Apache Directory Studio.

Wdyt ?

Emmanuel

Re: Kerberos Kadmin GUI

Posted by Alex Karasulu <ak...@apache.org>.

I guess as long as we have a convenient mechanism for adding, removing and
updating Kerberos users and passwords then we should be OK.  How this is
done is not that important right now, but may be from a security
perspective.
As long as SASL and SSL are being used via LDAP we can trust such operations
in production environments.

I don't know if the state of the changepw protocol with the new capabilities
you
mentioned are even viable right now but perhaps they will be later in which
case
we can enable 2 separate mechanisms for managing Kerberos users.

Alex

On 6/22/07, Enrique Rodriguez <en...@gmail.com> wrote:
>
> On 6/21/07, Emmanuel Lecharny <el...@apache.org> wrote:
> > Enrique Rodriguez a écrit :
> > > ...
> > > We can do most of what we need with the LDAP protocol and our X.500
> > > ACI.
> >
> > Sure, but I think a GUI is great to have to avoid complex manipulation
> > of such elements. We already have an ACI editor in Apache Directory
> > Studio, we just need a specific interface for Kerberos admin, I guess.
>
> I agree.  I don't think users should have to directly manipulate
> attributes and know ACI syntax.  A tool would be great.  My point was
> more that the protocol to do this with should be LDAP and not Kadmin.
>
> > ...
> > Can we have a status for those RFCs and drafts ?
>
> I will start one here:
>
> http://cwiki.apache.org/confluence/display/DIRxSBOX/Kerberos+RFC+Support
>
> Enrique
>

Re: Kerberos Kadmin GUI

Posted by Enrique Rodriguez <en...@gmail.com>.

On 6/21/07, Emmanuel Lecharny <el...@apache.org> wrote:
> Enrique Rodriguez a écrit :
> > ...
> > We can do most of what we need with the LDAP protocol and our X.500
> > ACI.
>
> Sure, but I think a GUI is great to have to avoid complex manipulation
> of such elements. We already have an ACI editor in Apache Directory
> Studio, we just need a specific interface for Kerberos admin, I guess.

I agree.  I don't think users should have to directly manipulate
attributes and know ACI syntax.  A tool would be great.  My point was
more that the protocol to do this with should be LDAP and not Kadmin.

> ...
> Can we have a status for those RFCs and drafts ?

I will start one here:

http://cwiki.apache.org/confluence/display/DIRxSBOX/Kerberos+RFC+Support

Enrique

Re: Kerberos Kadmin GUI

Posted by Enrique Rodriguez <en...@gmail.com>.

On 6/21/07, Emmanuel Lecharny <el...@apache.org> wrote:
> ...
> > A few additional functions are covered by the upcoming
> > Set/Change Protocol v2, an update of the Change Password protocol.
>
> You mean
> http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-set-passwd-06.txt,
> I guess.

If anyone reviews this, they should look at the 05 version.  The 06
was somehow munged and is missing the entire operation and ASN.1
sections:

http://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-set-passwd-05

Enrique

Re: Kerberos Kadmin GUI

Posted by Emmanuel Lecharny <el...@apache.org>.

Enrique Rodriguez a écrit :

> On 6/20/07, Emmanuel Lecharny <el...@apache.org> wrote:
>
>> Hi guys,
>>
>> IBM has recently released (27/4/2007) a Kerberos KAdmin GUI, a SWT
>> implementation :
>> http://www.alphaworks.ibm.com/tech/nasgui
>>
>> It seems to be an interesting tool, and I'm thinking we should have such
>> a GUI in Apache Directory Studio.
>>
>> Wdyt ?
>
>
> I think it would be great if AD Studio supported Kerberos
> administration.  However, this IBM tool is using the Kadmin protocol,
> which is specific to the MIT Kerberos implementation.

I was not thinking specifically to Kadmin, but something more 
confortable, as soon as we have some specification to give to our GUI team.

> I think with
> the protocols we have, we shouldn't support kadmin.  I, for one, won't
> be putting any effort towards Kadmin.  You'll note the IBM tool is
> using JNI to MIT's library.
>
> You can get a feel for the basic Kerberos principal functions we need
> from this Kadmin overview.
>
> http://docs.hp.com/en/5991-7685/ch08s37.html
>
> We can do most of what we need with the LDAP protocol and our X.500
> ACI.  

Sure, but I think a GUI is great to have to avoid complex manipulation 
of such elements. We already have an ACI editor in Apache Directory 
Studio, we just need a specific interface for Kerberos admin, I guess.

The question is what should it looks like, and what funtionalities it 
must contains.

> A few additional functions are covered by the upcoming
> Set/Change Protocol v2, an update of the Change Password protocol.

You mean 
http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-set-passwd-06.txt, 
I guess.

>
> As for timing, I think it makes sense to hold off a bit longer.  There
> are 2 RFC's in the works:  (1) the aforementioned Set/Change Protocol
> v2 and (2) a possible informative RFC regarding an LDAP schema for
> Kerberos.  The new Set/Change Protocol adds some important key
> management functions and the LDAP schema supports many more features
> than our existing schema.  I think once implementation of these draft
> RFC's has stabilized then we can look at adding GUI for principal
> admin.  I was hoping to get to both of these later this year.

It would be good to have a page like  
http://cwiki.apache.org/confluence/display/DIRxSRVx10/Ldap+related+RFCs 
where we have a clear view of what has been implemented, and whot is 
not, including a roadmap for the drafts we intend to implement.

Here is a lits of all the kerberos working group drafts and RFCs :

Generating KDC Referrals to Locate Kerberos Realms 
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-09.txt> 
(36370 bytes)
Kerberos Set/Change Key/Password Protocol Version 2 
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-set-passwd-06.txt> 
(32882 bytes)
A Generalized Framework for Kerberos Pre-Authentication 
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-preauth-framework-05.txt> 
(84108 bytes)
The Kerberos Network Authentication Service (Version 5) 
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-rfc1510ter-04.txt> 
(222275 bytes)
ECC Support for PKINIT 
<http://www.ietf.org/internet-drafts/draft-zhu-pkinit-ecc-03.txt> (21007 
bytes)
Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges Over 
TCP 
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-tcp-expansion-02.txt> 
(14367 bytes)
Anonymity Support for Kerberos 
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-anon-03.txt> 
(23897 bytes)
Additional Kerberos Naming Constraints 
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-naming-03.txt> 
(13553 bytes)
PK-INIT Cryptographic Algorithm Agility 
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-pkinit-alg-agility-02.txt> 
(29698 bytes)
Kerberos Version 5 GSS-API Channel Binding Hash Agility 
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-gss-cb-hash-agility-01.txt> 
(12607 bytes)


    Request For Comments:

AES Encryption for Kerberos 5 (RFC 3962) 
<http://www.ietf.org/rfc/rfc3962.txt> (32844 bytes)
Encryption and Checksum Specifications for Kerberos 5 (RFC 3961) 
<http://www.ietf.org/rfc/rfc3961.txt> (111865 bytes)
The Kerberos Network Authentication Service (V5) (RFC 4120) 
<http://www.ietf.org/rfc/rfc4120.txt> (340314 bytes) obsoletes RFC 1510/ 
updated by RFC 4537
The Kerberos Version 5 Generic Security Service Application Program 
Interface (GSS-API) Mechanism: Version 2 (RFC 4121) 
<http://www.ietf.org/rfc/rfc4121.txt> (43945 bytes) updates RFC 1964
Kerberos Cryptosystem Negotiation Extension (RFC 4537) 
<http://www.ietf.org/rfc/rfc4537.txt> (11166 bytes) updates RFC 4120
Online Certificate Status Protocol (OCSP) Support for Public Key 
Cryptography for Initial Authentication in Kerberos (PKINIT) (RFC 4557) 
<http://www.ietf.org/rfc/rfc4557.txt> (11593 bytes)
Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) 
(RFC 4556) <http://www.ietf.org/rfc/rfc4556.txt> (100339 bytes)


Can we have a status for those RFCs and drafts ?

Thanks.

Emmanuel

Re: Kerberos Kadmin GUI

Posted by Enrique Rodriguez <en...@gmail.com>.

On 6/20/07, Emmanuel Lecharny <el...@apache.org> wrote:
> Hi guys,
>
> IBM has recently released (27/4/2007) a Kerberos KAdmin GUI, a SWT
> implementation :
> http://www.alphaworks.ibm.com/tech/nasgui
>
> It seems to be an interesting tool, and I'm thinking we should have such
> a GUI in Apache Directory Studio.
>
> Wdyt ?

I think it would be great if AD Studio supported Kerberos
administration.  However, this IBM tool is using the Kadmin protocol,
which is specific to the MIT Kerberos implementation.  I think with
the protocols we have, we shouldn't support kadmin.  I, for one, won't
be putting any effort towards Kadmin.  You'll note the IBM tool is
using JNI to MIT's library.

You can get a feel for the basic Kerberos principal functions we need
from this Kadmin overview.

http://docs.hp.com/en/5991-7685/ch08s37.html

We can do most of what we need with the LDAP protocol and our X.500
ACI.  A few additional functions are covered by the upcoming
Set/Change Protocol v2, an update of the Change Password protocol.

As for timing, I think it makes sense to hold off a bit longer.  There
are 2 RFC's in the works:  (1) the aforementioned Set/Change Protocol
v2 and (2) a possible informative RFC regarding an LDAP schema for
Kerberos.  The new Set/Change Protocol adds some important key
management functions and the LDAP schema supports many more features
than our existing schema.  I think once implementation of these draft
RFC's has stabilized then we can look at adding GUI for principal
admin.  I was hoping to get to both of these later this year.

Enrique