Ersin Er wrote:
> Hi all,
>
> Are there any volunteers who can provide (a part of) their LDAP
> directory information base so that we can take it as a sample in our
> LDAP Triggers related documents ? ...
Hi, Ersin,
I would like to use triggers to allow standard LDAP and JNDI-based admin
of user principals in conjunction with symmetric key derivation for the
Kerberos and Change Password protocol providers.
We have a need, with Apache Directory as a "realm controller", to derive
symmetric keys from plain text passwords, for use by the Kerberos and
Change Password protocols. Currently we have been generating keys from
passwords in LDIF files using a custom "Kerberos-aware" LDIF reader in
the 'protocol-common' module. This LDIF reader is further wrapped as a
'load' Command for the Felix OSGi console.
The basic steps needed are:
1) Plaintext passwords are submitted as the 'userPassword' attribute in
the 'inetOrgPerson' object class. Submission could be by LDAP protocol
or JNDI, but for realm control use cases, I expect the submission method
to be the RFC 3244 Change Password Protocol, which uses Kerberos itself
to ensure the secure transmission of the plaintext password.
2) Inside ApacheDS we would convert plaintext passwords using a
standard string-to-key algorithm. We then store 1 or more of the
derived symmetric keys using the 'krb5KDCEntry' object class from
krb5kdc.schema, having attributes:
a) krb5Key - key material, bytes.
b) krb5EncryptionType - key type, eg "3" for DES.
c) krb5KeyVersionNumber - key version, serially incremented positive
integer
3) The Kerberos and Change Password protocol providers use JNDI to
retrieve the secret key bytes for use in standard Kerberos/Change
Password operation.
By using triggers we can address this need server-side, and not require
any custom client side logic to derive keys from passwords. This will
make the use of Apache Directory with Kerberos much easier.
Enrique
|