From dev-return-42361-apmail-directory-dev-archive=directory.apache.org@directory.apache.org Sun Feb 10 10:40:49 2013 Return-Path: X-Original-To: apmail-directory-dev-archive@www.apache.org Delivered-To: apmail-directory-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D17D7E017 for ; Sun, 10 Feb 2013 10:40:49 +0000 (UTC) Received: (qmail 86853 invoked by uid 500); 10 Feb 2013 10:40:49 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 86605 invoked by uid 500); 10 Feb 2013 10:40:47 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 86579 invoked by uid 99); 10 Feb 2013 10:40:46 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 10 Feb 2013 10:40:46 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of elecharny@gmail.com designates 209.85.212.178 as permitted sender) Received: from [209.85.212.178] (HELO mail-wi0-f178.google.com) (209.85.212.178) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 10 Feb 2013 10:40:38 +0000 Received: by mail-wi0-f178.google.com with SMTP id o1so2213576wic.5 for ; Sun, 10 Feb 2013 02:40:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:reply-to:user-agent:mime-version:to :subject:x-enigmail-version:content-type:content-transfer-encoding; bh=bnzYASGH1cO0h/2u7qYP+4aw/Ntm/EgxiVLWZ2S+EuM=; b=gf8BqpNuBl7IqKoZR/ZR3JB6G3ruBoGFBFC/LLyzeky0Jp0CInI0sFxN9T76KGOCxi XQxKOMuPZZEhnwR5v98gjghD2+G7v1CB5XKLoURSfRsx6Gv8NGugv9pxSCmKXKI7PFP6 ObbbyDVqKXItsq6Mg/3r9aWwdcojWi/p0hV9pmXHNcpA3EldUZVobZyCMARY4D9Hkz3y K890l2fVRrVfARaEtNiUVW5Qj+lHo05uLah3dWbcUK18rhuy0hQkzGaXzbzAZq3na1qM 06uqQxJxykKGbcXW20rbt0/AA9XSsxSz6jFsMY922H3v+UMsyHskFoZVZDof44KzD59S 1f4w== X-Received: by 10.194.236.233 with SMTP id ux9mr15471509wjc.36.1360492817954; Sun, 10 Feb 2013 02:40:17 -0800 (PST) Received: from host-001.darty (164.10-227-89.dsl.completel.net. [89.227.10.164]) by mx.google.com with ESMTPS id ex1sm25948668wib.7.2013.02.10.02.40.16 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 10 Feb 2013 02:40:17 -0800 (PST) Message-ID: <51177911.9050608@gmail.com> Date: Sun, 10 Feb 2013 11:40:17 +0100 From: =?UTF-8?B?RW1tYW51ZWwgTMOpY2hhcm55?= Reply-To: elecharny@apache.org User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130107 Thunderbird/17.0.2 MIME-Version: 1.0 To: Apache Directory Developers List Subject: Kerberos keys & passwords X-Enigmail-Version: 1.5 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org Hi guys, as I'm working on the Kerberos server, I have a few questions. 1) Currently, when the added entry has a userPassword AT and a krb5PrincipalName AT (which means it has a krb5principal OC), we create the kerberos Keys using the password. The problem is that the userPassword is a multiValued AT, so we use the first password in the list to generate the keys. This is not necessarily a good idea, but I don't see how we can improve this. At least, we should inform the user about this fact 2) Service keys : as we use the same mechanism, we generate keys based on the userPassword. Of course, we have no way to know that the added entry is for a service (except for hosts), so the userPassword must exist (and its value must be randomKey so that we don't use an weak password). Woudln't it be better to generate the keys from a random password if the userPassword AT is empty or absent ? 3) We definitively need to add a plugin in Studio to allow a user to change its password, using the changePassword protocol (and a shell script based tool to do so) Thoughts ? -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com