[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: PKINIT - allowed principal format?

Title: RE: PKINIT - allowed principal format?

Thanks, but I'll wait for the .5 port.  I tried
various combinations of the X500_NAME with no luck.
I'm assuming to exclude C, ST, and L of the x.509 (v3
cert).  By the way I wasn't sure on the 2nd /O, should
that be the /OU or Org Unit Name of the X.500?


-----Original Message-----
From: Daniel Kouril [mailto:kouril@ics.muni.cz]
Sent: Thursday, October 03, 2002 1:02 PM
To: STEWARD, Curtis (Jamestown)
Cc: 'heimdal-discuss@sics.se'
Subject: Re: PKINIT - allowed principal format?

On Thu, Oct 03, 2002 at 09:08:56AM -0400, STEWARD, Curtis (Jamestown) wrote:
> I'm new to Heimdal, it's the only opensource Kerberos
> implementation utilizing PKINIT that I know of, thanks.
> Activity looks limited though, what is the status, alternatives,
> and expected update on PKINIT?
> I've tried laters versions of Heimdal with no luck, so I
> assume no version later than 4e (as doc'd :) ) will work
> with Heimdal, so I've loaded it and OpenSSL 9.6.g onto Redhat 7.3.
> I'm using the pkinit patch right off of pkinit.en.html.
> I can make things function up to the point of kinit'ing with the
> PKINIT authentication.  I think the problem might be in the
> pki-allowed-principals format.  I'm understanding it should be
> principal name and cert:
> kdc.conf
> ...
>  pki-certificate = /usr/local/ca/testkeys/cacert.pem
>  pki-private-key = /usr/local/ca/testkeys/cakey.pem
>  pki-ca-dir = /usr/local/ca/certs
>  pki-allowed-principals = {
>    root = /usr/local/ca/testkeys/cacert.pem
>  }

The formats of the pki-allowed-principals records is:
which means that client authenticating with X.500 distinguished name
"X500_NAME" is allowed to get TGT with client principal "PRINCIPAL". For
pki-allowed-principals = {
                   kouril = /O=CESNET/O=Masaryk University/CN=Daniel Kouril

I have prepared a port to Heimdal 0.5, which contains many improvements done
mostly by Mario Strasser (client compatibility with Win2k, support of
smartcards etc.) I hope to releae it soon.