directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: Kerberos keys & passwords
Date Sun, 10 Feb 2013 12:16:23 GMT
On Sun, Feb 10, 2013 at 4:10 PM, Emmanuel Lécharny <elecharny@gmail.com>wrote:

> Hi guys,
>
> as I'm working on the Kerberos server, I have a few questions.
>
> 1) Currently, when the added entry has a userPassword AT and a
> krb5PrincipalName AT (which means it has a krb5principal OC), we create
> the kerberos Keys using the password.
>
> The problem is that the userPassword is a multiValued AT, so we use the
> first password in the list to generate the keys. This is not necessarily
> a good idea, but I don't see how we can improve this.
>
> I will repeat the same words said in the IM :)
'let us throw an error when Kerberos is enabled in the server and an entry
contains more than one password'

> At least, we should inform the user about this fact
>
> 2) Service keys : as we use the same mechanism, we generate keys based
> on the userPassword. Of course, we have no way to know that the added
> entry is for a service (except for hosts), so the userPassword must
> exist (and its value must be randomKey so that we don't use an weak
> password).
>
> Woudln't it be better to generate the keys from a random password if the
> userPassword AT is empty or absent ?
>
> yes, and we should generate keys only when such an entry contains
'krb5PrincipalName'
attribute

> 3) We definitively need to add a plugin in Studio to allow a user to
> change its password, using the changePassword protocol (and a shell
> script based tool to do so)
>
> +1

> Thoughts ?
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>


-- 
Kiran Ayyagari
http://keydap.com

Mime
View raw message