On Sun, Feb 10, 2013 at 4:10 PM, Emmanuel Lécharny <elecharny@gmail.com> wrote:
Hi guys,

as I'm working on the Kerberos server, I have a few questions.

1) Currently, when the added entry has a userPassword AT and a
krb5PrincipalName AT (which means it has a krb5principal OC), we create
the kerberos Keys using the password.

The problem is that the userPassword is a multiValued AT, so we use the
first password in the list to generate the keys. This is not necessarily
a good idea, but I don't see how we can improve this.

I will repeat the same words said in the IM :)
'let us throw an error when Kerberos is enabled in the server and an entry contains more than one password'
At least, we should inform the user about this fact

2) Service keys : as we use the same mechanism, we generate keys based
on the userPassword. Of course, we have no way to know that the added
entry is for a service (except for hosts), so the userPassword must
exist (and its value must be randomKey so that we don't use an weak

Woudln't it be better to generate the keys from a random password if the
userPassword AT is empty or absent ?

yes, and we should generate keys only when such an entry contains 'krb5PrincipalName'
3) We definitively need to add a plugin in Studio to allow a user to
change its password, using the changePassword protocol (and a shell
script based tool to do so)

Thoughts ?

Emmanuel Lécharny

Kiran Ayyagari