directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enrique Rodriguez" <enriqu...@gmail.com>
Subject Preferred command-line client library
Date Thu, 10 May 2007 22:31:54 GMT
Hi, Directory developers,

I started working towards "supporting Kerberos key provisioning
(export)" (DIRSERVER-898).  I got it working in unit tests.  By adding
a service principal to the DIT by LDAP, with 'userPassword' set to
"randomKey," the KeyDerivationService creates 5 Kerberos keys for the
principal.  These random keys then need to be read from the DIT and
written to a file, so they can be used with Kerberized services.  For
example, if you want to use SSHD or OpenLDAP server using Kerberos
credentials you need to put these keys on the service host, similar to
how you configure an SSL cert for Apache HTTPD.

The unit tests write to a file that looks like this when read using
'klist' (I truncated the output for emailing):

$ klist -5ket /path/to/test.keytab
Keytab name: FILE:/path/to/test.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   0 05/09/07 19:14:10 ldap/ldap.example.com@EXAMPLE.COM (AES-128 CTS mode ...
   0 05/09/07 19:14:10 ldap/ldap.example.com@EXAMPLE.COM (ArcFour with
HMAC/md5)
   0 05/09/07 19:14:10 ldap/ldap.example.com@EXAMPLE.COM (Triple DES
cbc mode ...
   0 05/09/07 19:14:10 ldap/ldap.example.com@EXAMPLE.COM (AES-256 CTS mode ...
   0 05/09/07 19:14:10 ldap/ldap.example.com@EXAMPLE.COM (DES cbc mode with ...

Anyway, I want to make this into a command-line client, so I was
wondering can you recommend a CLI library?  I'm anticipating some
command line arguments.  Or is it better to just roll my own quick CLI
helper?

Enrique

Mime
View raw message