directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <elecha...@apache.org>
Subject Re: Kerberos Kadmin GUI
Date Thu, 21 Jun 2007 23:02:36 GMT
Enrique Rodriguez a écrit :

> On 6/20/07, Emmanuel Lecharny <elecharny@apache.org> wrote:
>
>> Hi guys,
>>
>> IBM has recently released (27/4/2007) a Kerberos KAdmin GUI, a SWT
>> implementation :
>> http://www.alphaworks.ibm.com/tech/nasgui
>>
>> It seems to be an interesting tool, and I'm thinking we should have such
>> a GUI in Apache Directory Studio.
>>
>> Wdyt ?
>
>
> I think it would be great if AD Studio supported Kerberos
> administration.  However, this IBM tool is using the Kadmin protocol,
> which is specific to the MIT Kerberos implementation.

I was not thinking specifically to Kadmin, but something more 
confortable, as soon as we have some specification to give to our GUI team.

> I think with
> the protocols we have, we shouldn't support kadmin.  I, for one, won't
> be putting any effort towards Kadmin.  You'll note the IBM tool is
> using JNI to MIT's library.
>
> You can get a feel for the basic Kerberos principal functions we need
> from this Kadmin overview.
>
> http://docs.hp.com/en/5991-7685/ch08s37.html
>
> We can do most of what we need with the LDAP protocol and our X.500
> ACI.  

Sure, but I think a GUI is great to have to avoid complex manipulation 
of such elements. We already have an ACI editor in Apache Directory 
Studio, we just need a specific interface for Kerberos admin, I guess.

The question is what should it looks like, and what funtionalities it 
must contains.

> A few additional functions are covered by the upcoming
> Set/Change Protocol v2, an update of the Change Password protocol.

You mean 
http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-set-passwd-06.txt, 
I guess.

>
> As for timing, I think it makes sense to hold off a bit longer.  There
> are 2 RFC's in the works:  (1) the aforementioned Set/Change Protocol
> v2 and (2) a possible informative RFC regarding an LDAP schema for
> Kerberos.  The new Set/Change Protocol adds some important key
> management functions and the LDAP schema supports many more features
> than our existing schema.  I think once implementation of these draft
> RFC's has stabilized then we can look at adding GUI for principal
> admin.  I was hoping to get to both of these later this year.

It would be good to have a page like  
http://cwiki.apache.org/confluence/display/DIRxSRVx10/Ldap+related+RFCs 
where we have a clear view of what has been implemented, and whot is 
not, including a roadmap for the drafts we intend to implement.

Here is a lits of all the kerberos working group drafts and RFCs :

Generating KDC Referrals to Locate Kerberos Realms 
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-09.txt> 
(36370 bytes)
Kerberos Set/Change Key/Password Protocol Version 2 
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-set-passwd-06.txt> 
(32882 bytes)
A Generalized Framework for Kerberos Pre-Authentication 
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-preauth-framework-05.txt> 
(84108 bytes)
The Kerberos Network Authentication Service (Version 5) 
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-rfc1510ter-04.txt> 
(222275 bytes)
ECC Support for PKINIT 
<http://www.ietf.org/internet-drafts/draft-zhu-pkinit-ecc-03.txt> (21007 
bytes)
Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges Over 
TCP 
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-tcp-expansion-02.txt> 
(14367 bytes)
Anonymity Support for Kerberos 
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-anon-03.txt> 
(23897 bytes)
Additional Kerberos Naming Constraints 
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-naming-03.txt> 
(13553 bytes)
PK-INIT Cryptographic Algorithm Agility 
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-pkinit-alg-agility-02.txt> 
(29698 bytes)
Kerberos Version 5 GSS-API Channel Binding Hash Agility 
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-gss-cb-hash-agility-01.txt> 
(12607 bytes)


    Request For Comments:

AES Encryption for Kerberos 5 (RFC 3962) 
<http://www.ietf.org/rfc/rfc3962.txt> (32844 bytes)
Encryption and Checksum Specifications for Kerberos 5 (RFC 3961) 
<http://www.ietf.org/rfc/rfc3961.txt> (111865 bytes)
The Kerberos Network Authentication Service (V5) (RFC 4120) 
<http://www.ietf.org/rfc/rfc4120.txt> (340314 bytes) obsoletes RFC 1510/ 
updated by RFC 4537
The Kerberos Version 5 Generic Security Service Application Program 
Interface (GSS-API) Mechanism: Version 2 (RFC 4121) 
<http://www.ietf.org/rfc/rfc4121.txt> (43945 bytes) updates RFC 1964
Kerberos Cryptosystem Negotiation Extension (RFC 4537) 
<http://www.ietf.org/rfc/rfc4537.txt> (11166 bytes) updates RFC 4120
Online Certificate Status Protocol (OCSP) Support for Public Key 
Cryptography for Initial Authentication in Kerberos (PKINIT) (RFC 4557) 
<http://www.ietf.org/rfc/rfc4557.txt> (11593 bytes)
Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) 
(RFC 4556) <http://www.ietf.org/rfc/rfc4556.txt> (100339 bytes)


Can we have a status for those RFCs and drafts ?

Thanks.

Emmanuel


Mime
View raw message