directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enrique Rodriguez" <>
Subject Re: [Kerberos] Ciient status
Date Sat, 23 Jun 2007 07:45:15 GMT
On 6/22/07, Emmanuel Lecharny <> wrote:
> ...
> I have a question : atm, we have to inject an LDIF file to setup
> initial users. Is it possible to have a specific UI/GUI/CLI to create
> a new user whithout crafting an LDIF file by hand ?

If you look at the SASL GSSAPI doco or the other ones for Windows or
SSHD, you'll see that you can add the KeyDerivationService
interceptor.  Then, you can simply set the krb5PrincipalName and the
userPassword with LDAP (assuming you also have the objectClass'es
set).  SaslGssapiBindITest shows how to do this in code so a client
would be a matter of factoring out the relevant JNDI code and making a
client.  This would be a good enhancement for AD Studio and maybe
after I get the original subject of this thread working OK I'll work
on a CLI client.  Admins will want a CLI client to provision keys for
services, anyway; this would be to get keys into keytabs to provision
on hosts such as for SSHD or other Kerberized services.

> Otherwise, I'm interested in helping you to get a kerberos-unit
> working, as without unit tests, the code is really impossible to
> modify, as we don't have any way to do regression tests. Last, not
> least, I think that the new codec implementation can be done for
> subparts of the kerberos ASN.1 grammar. I have almost half of the
> state machines designed (using an UML tool to do so), which is the
> first step to get a decoder working.

That would be great to have better tests.  I am hoping to check-in
this weekend new integration tests with the new Kerberos and Change
Password clients operating against ApacheDS and all the various
permutations of ticket options and good vs. bad principal scenarios.

I guess it's too late now but I was thinking one non-invasive way to
get new codecs integrated would be to work on codecs for the new
Set/Change Protocol v2.  We really need the "set keys" operation to
close the loop with key lifecycle so that will be a short-term focus
for me.

> May be we can discuss this point on IRC, so that I can jump into the
> train faster.

My IM during the week is bad but I just got a new setup at home and
I'll install AIM/IRC and try to be on most of this weekend.


View raw message