Re: question: etypes and krb5key

[Love Hörnquist Åstrand <lha@kth.se>]

Gessy Caetano da Silva Junior <listas_gessy@yahoo.com.br> writes:

> Hi,
>
> I using heimdal + openldap and i would like understand a question,
> maybe  two questions.
>
> Well, heimdal is able to write all Principal information and Ticket
> information on ldap database. Thus I can create a new principal just
> adding a new entry on ldap.
>
> dn: cn=teste@aaa.bbb.cc,ou=aaa,o=bbb,c=cc
> objectClass: top
> objectClass: person
> objectClass: krb5Principal
> objectClass: krb5KDCEntry
> krb5PrincipalName: nssproxy@AAA.BBB.CC
> krb5MaxLife: 86400
> krb5MaxRenew: 604800
> krb5KDCFlags: 126
> cn: nssproxy@AAA.BBB.CC
> sn: nssproxy@AAA.BBB.CC
> userPassword:: e1NBU0x9bnNzcHJveHlATENDLlVGTUcuQlI=
> krb5KeyVersionNumber: 1
> krb5Key::MEagAwIBAaE/MD2gAwIBEKE2BDRA6r72yL61lRhzysoatu1WJAUHI0q93UDy2nGpv4LlEe1dvqJrIfDmsMFFrqgcl2hNB8lg
> ...
> ...
> ...
>
> Looking manpage, there's a section 'etypes' that show the valid
> encryption types. When I try add
>
> default_etypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
>
> the etypes that use hmac and aes doesn't work, i have the message
> 'encryption type des3-hmac-sha1 not supported' by kadmind. This
> support really does not exist?

The name of des3 enctype in heimdal is des3-cbc-sha1. It should really be
named des3-cbc-hmac-sha1, but that too late now. AES will be support in
Heimdal 0.7.

> And the other question is: how is generated the krb5key on ldap
> server, how can I create this atrribute without use kadmin or kpasswd?

There is a overlay ldap module for openssl that does this for you, it
allows you set the krb5Key attributes with the ldap password change
operation. See the mailing list archive for referenses to it, I can't
remember the name right now.

Love

PGP signature