directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Enrique Rodriguez <>
Subject Re: LDAP Triggers use cases: Need for real world data
Date Fri, 23 Jun 2006 01:56:16 GMT
Ersin Er wrote:
> Hi all,
> Are there any volunteers who can provide (a part of) their LDAP
> directory information base so that we can take it as a sample in our
> LDAP Triggers related documents ? ...

Hi, Ersin,

I would like to use triggers to allow standard LDAP and JNDI-based admin 
of user principals in conjunction with symmetric key derivation for the 
Kerberos and Change Password protocol providers.

We have a need, with Apache Directory as a "realm controller", to derive 
symmetric keys from plain text passwords, for use by the Kerberos and 
Change Password protocols.  Currently we have been generating keys from 
passwords in LDIF files using a custom "Kerberos-aware" LDIF reader in 
the 'protocol-common' module.  This LDIF reader is further wrapped as a 
'load' Command for the Felix OSGi console.

The basic steps needed are:

1)  Plaintext passwords are submitted as the 'userPassword' attribute in 
the 'inetOrgPerson' object class.  Submission could be by LDAP protocol 
or JNDI, but for realm control use cases, I expect the submission method 
to be the RFC 3244 Change Password Protocol, which uses Kerberos itself 
to ensure the secure transmission of the plaintext password.

2)  Inside ApacheDS we would convert plaintext passwords using a 
standard string-to-key algorithm.  We then store 1 or more of the 
derived symmetric keys using the 'krb5KDCEntry' object class from 
krb5kdc.schema, having attributes:
   a)  krb5Key - key material, bytes.
   b)  krb5EncryptionType - key type, eg "3" for DES.
   c)  krb5KeyVersionNumber - key version, serially incremented positive 

3)  The Kerberos and Change Password protocol providers use JNDI to 
retrieve the secret key bytes for use in standard Kerberos/Change 
Password operation.

By using triggers we can address this need server-side, and not require 
any custom client side logic to derive keys from passwords.  This will 
make the use of Apache Directory with Kerberos much easier.


View raw message