directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <>
Subject Re: Kerberos Kadmin GUI
Date Thu, 21 Jun 2007 23:02:36 GMT
Enrique Rodriguez a écrit :

> On 6/20/07, Emmanuel Lecharny <> wrote:
>> Hi guys,
>> IBM has recently released (27/4/2007) a Kerberos KAdmin GUI, a SWT
>> implementation :
>> It seems to be an interesting tool, and I'm thinking we should have such
>> a GUI in Apache Directory Studio.
>> Wdyt ?
> I think it would be great if AD Studio supported Kerberos
> administration.  However, this IBM tool is using the Kadmin protocol,
> which is specific to the MIT Kerberos implementation.

I was not thinking specifically to Kadmin, but something more 
confortable, as soon as we have some specification to give to our GUI team.

> I think with
> the protocols we have, we shouldn't support kadmin.  I, for one, won't
> be putting any effort towards Kadmin.  You'll note the IBM tool is
> using JNI to MIT's library.
> You can get a feel for the basic Kerberos principal functions we need
> from this Kadmin overview.
> We can do most of what we need with the LDAP protocol and our X.500
> ACI.  

Sure, but I think a GUI is great to have to avoid complex manipulation 
of such elements. We already have an ACI editor in Apache Directory 
Studio, we just need a specific interface for Kerberos admin, I guess.

The question is what should it looks like, and what funtionalities it 
must contains.

> A few additional functions are covered by the upcoming
> Set/Change Protocol v2, an update of the Change Password protocol.

You mean, 
I guess.

> As for timing, I think it makes sense to hold off a bit longer.  There
> are 2 RFC's in the works:  (1) the aforementioned Set/Change Protocol
> v2 and (2) a possible informative RFC regarding an LDAP schema for
> Kerberos.  The new Set/Change Protocol adds some important key
> management functions and the LDAP schema supports many more features
> than our existing schema.  I think once implementation of these draft
> RFC's has stabilized then we can look at adding GUI for principal
> admin.  I was hoping to get to both of these later this year.

It would be good to have a page like 
where we have a clear view of what has been implemented, and whot is 
not, including a roadmap for the drafts we intend to implement.

Here is a lits of all the kerberos working group drafts and RFCs :

Generating KDC Referrals to Locate Kerberos Realms 
(36370 bytes)
Kerberos Set/Change Key/Password Protocol Version 2 
(32882 bytes)
A Generalized Framework for Kerberos Pre-Authentication 
(84108 bytes)
The Kerberos Network Authentication Service (Version 5) 
(222275 bytes)
ECC Support for PKINIT 
<> (21007 
Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges Over 
(14367 bytes)
Anonymity Support for Kerberos 
(23897 bytes)
Additional Kerberos Naming Constraints 
(13553 bytes)
PK-INIT Cryptographic Algorithm Agility 
(29698 bytes)
Kerberos Version 5 GSS-API Channel Binding Hash Agility 
(12607 bytes)

    Request For Comments:

AES Encryption for Kerberos 5 (RFC 3962) 
<> (32844 bytes)
Encryption and Checksum Specifications for Kerberos 5 (RFC 3961) 
<> (111865 bytes)
The Kerberos Network Authentication Service (V5) (RFC 4120) 
<> (340314 bytes) obsoletes RFC 1510/ 
updated by RFC 4537
The Kerberos Version 5 Generic Security Service Application Program 
Interface (GSS-API) Mechanism: Version 2 (RFC 4121) 
<> (43945 bytes) updates RFC 1964
Kerberos Cryptosystem Negotiation Extension (RFC 4537) 
<> (11166 bytes) updates RFC 4120
Online Certificate Status Protocol (OCSP) Support for Public Key 
Cryptography for Initial Authentication in Kerberos (PKINIT) (RFC 4557) 
<> (11593 bytes)
Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) 
(RFC 4556) <> (100339 bytes)

Can we have a status for those RFCs and drafts ?



View raw message