directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enrique Rodriguez" <enriqu...@gmail.com>
Subject [Kerberos] Encryption types branch stabilized
Date Mon, 07 May 2007 01:59:08 GMT
Hi, Directory developers,

Work in the kerberos-encryption-types branch has now stablized.  I'll
be doing more interop testing over the next week and I can think of
some minor refactoring and other enhancements but everything is pretty
much working.  I just checked in a server.xml in server-main in the
branch that shows how to enable Kerberos and Change Password, how to
enable the encryption types, and where the KeyDerivationService
interceptor needs to be inserted.  So ...

1)  The branch now supports the following encryption types:

aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96
des3-cbc-sha1-kd
des-cbc-md5
des-cbc-crc

This addresses JIRA issues:

(DIRSERVER-141) Add DES3-CBC-SHA1-KD encryption system
(DIRSERVER-142) Add support for AES encryption types
(DIRSERVER-153) Make encryption system selection configurable

2)  We now support automatic centralized key generation for Kerberos
principals, using a KeyDerivationService interceptor.  This
interceptor will produce the following key types:

DES
DES3
AES128
AES256
RC4-HMAC

This addresses JIRA issue:

(DIRSERVER-897) Support automatic centralized key generation for
Kerberos principals

With the "key derivation" interceptor inserted in the service chain,
changes to the 'userPassword' attribute now result in automatic key
derivation or generation for Kerberos principals.  If the special
keyword 'randomKey' is used, the principal receives random keys.

The interceptor works great whether the 'userPassword' is changed over
the LDAP protocol, by the ChangePassword protocol, or by LDIF load.
This is a testament to the interceptor service chain in the core.  The
interceptor will make working with Kerberos principals much easier.

Enrique

Mime
View raw message