Thanks, but I'll wait for the .5 port. I tried
various combinations of the X500_NAME with no luck.
I'm assuming to exclude C, ST, and L of the x.509 (v3
cert). By the way I wasn't sure on the 2nd /O, should
that be the /OU or Org Unit Name of the X.500?
cs
-----Original Message-----
From: Daniel Kouril [mailto:kouril@ics.muni.cz]
Sent: Thursday, October 03, 2002 1:02 PM
To: STEWARD, Curtis (Jamestown)
Cc: 'heimdal-discuss@sics.se'
Subject: Re: PKINIT - allowed principal format?
On Thu, Oct 03, 2002 at 09:08:56AM -0400, STEWARD, Curtis (Jamestown) wrote:
> I'm new to Heimdal, it's the only opensource Kerberos
> implementation utilizing PKINIT that I know of, thanks.
> Activity looks limited though, what is the status, alternatives,
> and expected update on PKINIT?
>
> I've tried laters versions of Heimdal with no luck, so I
> assume no version later than 4e (as doc'd :) ) will work
> with Heimdal, so I've loaded it and OpenSSL 9.6.g onto Redhat 7.3.
> I'm using the pkinit patch right off of pkinit.en.html.
> I can make things function up to the point of kinit'ing with the
> PKINIT authentication. I think the problem might be in the
> pki-allowed-principals format. I'm understanding it should be
> principal name and cert:
>
> kdc.conf
> ...
>
> pki-certificate = /usr/local/ca/testkeys/cacert.pem
> pki-private-key = /usr/local/ca/testkeys/cakey.pem
> pki-ca-dir = /usr/local/ca/certs
> pki-allowed-principals = {
> root = /usr/local/ca/testkeys/cacert.pem
> }
The formats of the pki-allowed-principals records is:
PRINCIPAL = X500_NAME
which means that client authenticating with X.500 distinguished name
"X500_NAME" is allowed to get TGT with client principal "PRINCIPAL". For
example:
pki-allowed-principals = {
kouril = /O=CESNET/O=Masaryk University/CN=Daniel Kouril
}
P.S.
I have prepared a port to Heimdal 0.5, which contains many improvements done
mostly by Mario Strasser (client compatibility with Win2k, support of
smartcards etc.) I hope to releae it soon.
--
Dan