directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ersin Er <>
Subject Re: LDAP Triggers use cases: Need for real world data
Date Fri, 23 Jun 2006 08:02:38 GMT
Enrique Rodriguez wrote:
> Ersin Er wrote:
>> Hi all,
>> Are there any volunteers who can provide (a part of) their LDAP
>> directory information base so that we can take it as a sample in our
>> LDAP Triggers related documents ? ...
> Hi, Ersin,
Hi Enrique! First of all, thanks for the response. I want to further
discuss on this but I have a few questions now.
> I would like to use triggers to allow standard LDAP and JNDI-based
> admin of user principals in conjunction with symmetric key derivation
> for the Kerberos and Change Password protocol providers.
> We have a need, with Apache Directory as a "realm controller", to
> derive symmetric keys from plain text passwords, for use by the
> Kerberos and Change Password protocols.  Currently we have been
> generating keys from passwords in LDIF files using a custom
> "Kerberos-aware" LDIF reader in the 'protocol-common' module.  This
> LDIF reader is further wrapped as a 'load' Command for the Felix OSGi
> console.
So the Change Password Protocol provider is currently able to do this
generation/conversion but the Core and LDAP Protocol Provider are not
aware of this, right?
> The basic steps needed are:
> 1)  Plaintext passwords are submitted as the 'userPassword' attribute
> in the 'inetOrgPerson' object class.  Submission could be by LDAP
> protocol or JNDI, but for realm control use cases, I expect the
> submission method to be the RFC 3244 Change Password Protocol, which
> uses Kerberos itself to ensure the secure transmission of the
> plaintext password.
OK, so we'll have Triggers for modification type operations for the
ou=Users based subtree. Is it reasonable to do this with an AFTER
Trigger so that the Kerberos related attributes will be updated just
after the entry has been added/modified? Because I'm not sure whether
we'll support modification of request parameters inside triggered stored
> 2)  Inside ApacheDS we would convert plaintext passwords using a
> standard string-to-key algorithm.  We then store 1 or more of the
> derived symmetric keys using the 'krb5KDCEntry' object class from
> krb5kdc.schema, having attributes:
>   a)  krb5Key - key material, bytes.
>   b)  krb5EncryptionType - key type, eg "3" for DES.
>   c)  krb5KeyVersionNumber - key version, serially incremented
> positive integer
So each update of userPassword attribute will trigger update of krb5Key
attribute. (BTW, we do not have attribute level Triggers.)
> 3)  The Kerberos and Change Password protocol providers use JNDI to
> retrieve the secret key bytes for use in standard Kerberos/Change
> Password operation.
> By using triggers we can address this need server-side, and not
> require any custom client side logic to derive keys from passwords. 
> This will make the use of Apache Directory with Kerberos much easier.
More hints are welcome ;-) We may also have an IRC session on
implementing this. I'll finish the preliminary version of triggers for
playing with in a few days.

[ Well, while I was writing this email I've looked at the code you
mentioned and this does not seem hard to implement. ]
> Enrique

View raw message