Network Working Group Nagarajan Internet-Draft Novell, Inc. Expires: November 18, 2005 May 17, 2005 Kerberos version 5 schema for LDAP Directories draft-rajasekaran-kerberos-schema-00 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on November 18, 2005. Copyright Notice Copyright (C) The Internet Society (2005). Abstract This document describes a schema for storing Kerberos version 5 information in LDAP directories. The information includes the attributes and object classes that define realm, KDC, administration server, password server, principal and policy. Nagarajan Expires November 18, 2005 [Page 1] Internet-Draft Kerberos schema for LDAP May 2005 Table of Contents 1. Requirements notation . . . . . . . . . . . . . . . . . . . 4 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Attributes Type Definitions . . . . . . . . . . . . . . . . 6 3.1 krbPrincipalName . . . . . . . . . . . . . . . . . . . . . 6 3.2 krbPrincipalType . . . . . . . . . . . . . . . . . . . . . 6 3.3 krbSecretKey . . . . . . . . . . . . . . . . . . . . . . . 7 3.4 krbUPEnabled . . . . . . . . . . . . . . . . . . . . . . . 8 3.5 krbPrincipalExpiration . . . . . . . . . . . . . . . . . . 9 3.6 krbPolicyReference . . . . . . . . . . . . . . . . . . . . 9 3.7 krbTicketFlags . . . . . . . . . . . . . . . . . . . . . . 10 3.8 krbMaxTicketLife . . . . . . . . . . . . . . . . . . . . . 10 3.9 krbMaxRenewableAge . . . . . . . . . . . . . . . . . . . . 11 3.10 krbServiceFlags . . . . . . . . . . . . . . . . . . . . 12 3.11 krbRealmReferences . . . . . . . . . . . . . . . . . . . 13 3.12 krbLdapServers . . . . . . . . . . . . . . . . . . . . . 13 3.13 krbSubTree . . . . . . . . . . . . . . . . . . . . . . . 13 3.14 krbKdcServers . . . . . . . . . . . . . . . . . . . . . 14 3.15 krbAdmServers . . . . . . . . . . . . . . . . . . . . . 14 3.16 krbPwdServers . . . . . . . . . . . . . . . . . . . . . 15 3.17 krbSupportedEncTypes . . . . . . . . . . . . . . . . . . 15 3.18 krbSupportedSaltTypes . . . . . . . . . . . . . . . . . 16 3.19 krbDefaultEncType . . . . . . . . . . . . . . . . . . . 17 3.20 krbDefaultSaltType . . . . . . . . . . . . . . . . . . . 17 3.21 krbHostServer . . . . . . . . . . . . . . . . . . . . . 18 3.22 krbSearchScope . . . . . . . . . . . . . . . . . . . . . 18 3.23 krbPrincNamingAttr . . . . . . . . . . . . . . . . . . . 18 3.24 krbMaxPwdLife . . . . . . . . . . . . . . . . . . . . . 19 3.25 krbMinPwdLife . . . . . . . . . . . . . . . . . . . . . 19 3.26 krbPwdMinDiffChars . . . . . . . . . . . . . . . . . . . 20 3.27 krbPwdMinLength . . . . . . . . . . . . . . . . . . . . 20 3.28 krbPwdHistoryLength . . . . . . . . . . . . . . . . . . 21 3.29 krbPwdPolicyRefCount . . . . . . . . . . . . . . . . . . 21 3.30 krbPwdPolicyReference . . . . . . . . . . . . . . . . . 22 4. Object Class Definitions . . . . . . . . . . . . . . . . . . 23 4.1 krbContainer . . . . . . . . . . . . . . . . . . . . . . . 23 4.2 krbRealmContainer . . . . . . . . . . . . . . . . . . . . 23 4.3 krbService . . . . . . . . . . . . . . . . . . . . . . . . 24 4.4 krbKdcService . . . . . . . . . . . . . . . . . . . . . . 24 4.5 krbAdmService . . . . . . . . . . . . . . . . . . . . . . 25 4.6 krbPwdService . . . . . . . . . . . . . . . . . . . . . . 25 4.7 krbPolicyAux . . . . . . . . . . . . . . . . . . . . . . . 25 4.8 krbPolicy . . . . . . . . . . . . . . . . . . . . . . . . 25 4.9 krbPrincipalAux . . . . . . . . . . . . . . . . . . . . . 26 4.10 krbPrincipal . . . . . . . . . . . . . . . . . . . . . . 26 4.11 krbPwdPolicy . . . . . . . . . . . . . . . . . . . . . . 27 4.12 krbPwdPolicyRefAux . . . . . . . . . . . . . . . . . . . 27 Nagarajan Expires November 18, 2005 [Page 2] Internet-Draft Kerberos schema for LDAP May 2005 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . 28 5.1 Object Identifier Registration . . . . . . . . . . . . . . 28 5.2 Object Identifier Descriptors . . . . . . . . . . . . . . 28 6. Security Considerations . . . . . . . . . . . . . . . . . . 31 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 31 Author's Address . . . . . . . . . . . . . . . . . . . . . . 32 Intellectual Property and Copyright Statements . . . . . . . 33 Nagarajan Expires November 18, 2005 [Page 3] Internet-Draft Kerberos schema for LDAP May 2005 1. Requirements notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Nagarajan Expires November 18, 2005 [Page 4] Internet-Draft Kerberos schema for LDAP May 2005 2. Introduction This document defines LDAP schema elements for storing Kerberos version 5 (see [draft-ietf-krb-wg-kerberos-clarifications-07] and [RFC1510]) information in LDAP v3 compliant directories. This includes the attribute definitions, object classes, naming attributes and containment rules for the Kerberos entities, namely realm, KDC, administration server, password server, principal and policy. Nagarajan Expires November 18, 2005 [Page 5] Internet-Draft Kerberos schema for LDAP May 2005 3. Attributes Type Definitions As the OIDs for the attributes in this document have not been assigned, IANA-ASSIGNED-OID has been used as a placeholder until real OIDs are assigned. 3.1 krbPrincipalName This is the principal name in the format as specified in RFC 1510. Definition: ( IANA-ASSIGNED-OID.4.1 NAME 'krbPrincipalName' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) Used In: krbPrincipalAux krbPrincipal Usage: This attribute holds the principal identifier for the principal as per the [RFC1510] specification. This attribute value has to be unique in the tree. Since a user can have more than one Kerberos names, this attribute is multi valued. Values: The set of allowed values for this attribute is based on the principal identifier format that is specified in the [RFC1510] section 7. A principal identifier consists of the principal name followed by the "@" symbol and then the realm name. 3.2 krbPrincipalType Holds the type of the principal. Definition: ( IANA-ASSIGNED-OID.4.2 NAME 'krbPrincipalType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Used In: krbPrincipal Nagarajan Expires November 18, 2005 [Page 6] Internet-Draft Kerberos schema for LDAP May 2005 Usage: This attribute is used to store the type of the principal. A popular example would be a principal of type user and a principal of type service. The distinction for various services is needed to arrive at the types of tickets that can be issued for these principals. Values: The values that this attribute can hold is specified in the [RFC1510] in the section 7.2 and is also listed below, NT_UNKNOWN 0 NT_PRINCIPAL 1 NT_SRV_INST 2 NT_SRV_HST 3 NT_SRV_XHST 4 NT_UID 5 X500_PRINCIPAL 6 3.3 krbSecretKey This attribute stores the secret key of a Kerberos user or service principal. Definition: ( IANA-ASSIGNED-OID.4.3 NAME 'krbSecretKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) Used In: krbPrincipalAux Usage: This attribute stores the principal's key encrypted with the master key for the realm. As the user can have multiple versions of the keys, this attribute is a multivalued attribute. Moreover, for each version, there may be multiple values corresponding to the key / salt type pair. The choice of which key to use, when ticket requests are made, is determined by the choice of the key type in the request and the availability of that key type for the principal in its set of multi valued attribute. The byte encoding is in the big endian format. The format of the value for this attribute is explained below, Nagarajan Expires November 18, 2005 [Page 7] Internet-Draft Kerberos schema for LDAP May 2005 * At the beginning of the value, an index will be maintained which contains length of principal name, number of keys for this principal, and each key's type and its length * Following this index, actual data will be placed. Format of this complete structure is shown below. First 2 bytes Length of principal name (princNameLength) Next 2 bytes Current version of the principal key Next 2 bytes Version of the master key used to encrypt this principal key Next 4 bytes Time when password was last chaged Next 2 bytes Number of keys for the principal (noOfKeys) Next 2 bytes Key type of the first key Next 2 bytes Length of the first key (keyLength[1]) Next 2 bytes Salt type of the first key Next 2 bytes Salt Length of the first key (saltLength[1]) ... ... (other principals...) Next 2 bytes Key type of the last key (There will be "noOfKeys" keys) Next 2 bytes Length of the last key (keyLength[noOfKeys]) Next 2 bytes Salt type of the last key (There will be "noOfKeys" keys) Next 2 bytes Salt Length of the last key (saltLength[noOfKeys]) Principal name (of princNameLength) Principal's first key (of keyLength[1]) Principal's first salt (of saltLength[1]) ... ... (other principals...) Principal's last key (of keyLength[noOfKeys]) Principal's last salt (saltLength[noOfKeys]) 3.4 krbUPEnabled This attribute specifies whether to use the user password as the Kerberos password or not. Definition: ( IANA-ASSIGNED-OID.4.4 NAME 'krbUPEnabled' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE) Used In: krbPrincipalAux krbRealmContainer Nagarajan Expires November 18, 2005 [Page 8] Internet-Draft Kerberos schema for LDAP May 2005 Usage: This attribute is used to store whether the password of a user or the users in a realm has to be used as the Kerberos password or not. Values: True: if user password has to be used as Kerberos password. False: if Kerberos password is different from the users' passwords. 3.5 krbPrincipalExpiration This attribute holds the time at which the principal expires. Definition: ( IANA-ASSIGNED-OID.4.5 NAME 'krbPrincipalExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) Used In: krbPrincipal Usage: This attribute is used to store the time at which a principal expires. 3.6 krbPolicyReference Holds a reference to a Kerberos ticket policy. Definition: ( IANA-ASSIGNED-OID.4.6 NAME 'krbPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE) Used In: krbPrincipalAux krbRealmContainer krbContainer Nagarajan Expires November 18, 2005 [Page 9] Internet-Draft Kerberos schema for LDAP May 2005 Usage: Reference to a Kerberos ticket policy object. Values: DN of a kerberos policy object. 3.7 krbTicketFlags Holds the ticket flags that are allowed for a user or service. Definition: ( IANA-ASSIGNED-OID.4.7 NAME 'krbTicketFlags' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Used In: krbPolicyAux Usage: This attribute stores the allowed ticket flags that can be requested by a principal. The [RFC1510] specified flags could be found on page 43 and Page 51 of the RFC. The stored bit flags are interpreted by the code and translated to the [RFC1510] specific format. Values: The allowed values and their interpretations as per the code are, DISALLOW_POSTDATED 0x00000001 DISALLOW_FORWARDABLE 0x00000002 DISALLOW_TGT_BASED 0x00000004 DISALLOW_RENEWABLE 0x00000008 DISALLOW_PROXIABLE 0x00000010 DISALLOW_DUP_SKEY 0x00000020 DISALLOW_ALL_TIX 0x00000040 REQUIRES_PRE_AUTH 0x00000080 REQUIRES_HW_AUTH 0x00000100 REQUIRES_PWCHANGE 0x00000200 DISALLOW_SVR 0x00001000 PWCHANGE_SERVICE 0x00002000 3.8 krbMaxTicketLife Holds the maximum ticket lifetime for a principal in seconds. Nagarajan Expires November 18, 2005 [Page 10] Internet-Draft Kerberos schema for LDAP May 2005 Definition: ( IANA-ASSIGNED-OID.4.8 NAME 'krbMaxTicketLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Used In: krbPolicyAux Usage: The maximum ticket lifetime for a principal in seconds is maintained in this attribute. The maximum ticket lifetime is programmatically calculated by choosing the minimum of requested ticket lifetime, service ticket lifetime, and principal ticket lifetime. Values: The value stored in this attribute should correctly reflect the number of seconds till which the ticket is valid. The value may need to be generated from a combination of weeks/days/hours/ minutes/seconds and the conversion of these needs to be made to seconds and stored in the attribute. 3.9 krbMaxRenewableAge Holds the maximum renewable lifetime of a principal's ticket in seconds. Definition: ( IANA-ASSIGNED-OID.4.9 NAME 'krbMaxRenewableAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Used In: krbPolicyAux Usage: The attribute denotes the maximum lifetime in seconds within which a principal can renew its ticket. The maximum renewable lifetime is programmatically calculated by choosing the minimum of requested lifetime, service ticket lifetime, and principal ticket lifetime. Nagarajan Expires November 18, 2005 [Page 11] Internet-Draft Kerberos schema for LDAP May 2005 Values: The value stored in this attribute should correctly reflect the number of seconds till which the ticket can be renewed. The value may need to be generated from a combination of weeks/days/hours/ minutes/seconds and the conversion of these needs to be made to seconds and stored in the attribute. 3.10 krbServiceFlags Holds a set of flags that a Kerberos server requires to enable/ disable the support for certain features. Definition: ( IANA-ASSIGNED-OID.4.10 NAME 'krbServiceFlags' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Used In: krbService Usage: This attribute stores the bit wise or'ed data that represents the set of options that a Kerberos service, servicing a realm would need to support. Values: The set of bit flags that can be set are, AUTO_RESTART (1 << 0) CHECK_ADDRESSES (1 << 1) SUPPORT_V4 (1 << 2) UNIXTIME_OLD_PATYPE (1 << 6) AUTO_RESTART: The auto restart flag if set will restart the Kerberos service in case of critical failures. CHECK_ADDRESSES: The check addresses flag enables the Kerberos to check the address field in each ticket and perform validations on these addresses. SUPPORT_V4: To enable Kerberos v4 support this flag needs to be set. UNIXTIME_OLD_PATYPE: This enables the Kerberos authentication server to accept Unix time as a pre authentication data type. Nagarajan Expires November 18, 2005 [Page 12] Internet-Draft Kerberos schema for LDAP May 2005 3.11 krbRealmReferences Holds references to the Realm objects (DNs of the krbRealmContainer object). Definition ( IANA-ASSIGNED-OID.4.11 NAME 'krbRealmReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) Used In: krbService Usage: This stores the DNs of the Kerberos realm (krbRealmContainer) objects. This is a multi valued attribute and the KDC, Administration and Password Services will service all the principals of the realms mentioned in this attribute. Values: DNs of valid Kerberos realm (krbRealmContainer) objects. 3.12 krbLdapServers Holds a list of LDAP servers that the Kerberos servers can contact. Definition: ( IANA-ASSIGNED-OID.4.12 NAME 'krbLdapServers' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) Used In: krbRealmContainer Usage: This attribute holds the list of the DNS names or the IP addresses and the port of the LDAP servers that hosts a Kerberos data. The attribute holds data in the following format, HostName-or- IPAddress#Port Where,"#" is a delimiter. Examples: acme.com#636, 164.164.164.164#1636 3.13 krbSubTree Holds a reference (DN) to an entry that starts a sub tree where Nagarajan Expires November 18, 2005 [Page 13] Internet-Draft Kerberos schema for LDAP May 2005 principals and other Kerberos objects in a realm are placed. Definition: ( IANA-ASSIGNED-OID.4.13 NAME 'krbSubTree' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE) Used In: krbRealmContainer Usage: This attribute refers to an entry that starts a sub tree where principals in a particular realm are configured. This sub tree container is searched for that realm's principals based on the krbPrincipalName attribute. Values: DN of sub tree root container under which all the principals of the realm will exist. 3.14 krbKdcServers Holds a set of references to the KDC Service objects (DNs of the krbKdcService objects). Definition: ( IANA-ASSIGNED-OID.4.14 NAME 'krbKdcServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) Used In: krbRealmContainer Usage: This stores the DNs of the KDC service objects. Values: DNs of valid KDC Service objects. 3.15 krbAdmServers Holds a set of references to Administration Service objects (DNs of the krbAdmService objects). Nagarajan Expires November 18, 2005 [Page 14] Internet-Draft Kerberos schema for LDAP May 2005 Definition: ( IANA-ASSIGNED-OID.4.15 NAME 'krbAdmServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) Used In: krbRealmContainer Usage: This stores the DNs of administration service objects. Values: DN of valid administration service objects. 3.16 krbPwdServers Holds a set of references to Password Service objects (DNs of the krbPwdService objects). Definition: ( IANA-ASSIGNED-OID.4.16 NAME 'krbPwdServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) Used In: krbRealmContainer Usage: This stores the DNs of the Password Service objects. This is a multi valued attribute. Values: DN of valid Password Service objects. 3.17 krbSupportedEncTypes Holds the list of encryption types supported by a realm. Definition: ( IANA-ASSIGNED-OID.4.17 NAME 'krbSupportedEncTypes' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27) Nagarajan Expires November 18, 2005 [Page 15] Internet-Draft Kerberos schema for LDAP May 2005 Used In: krbRealmContainer Usage: This contains the list of encryption types supported by a realm. Values: List of encryption types. The encryption types that are supported as per [RFC3961], DES_CBC_CRC 0x0001 DES_CBC_MD4 0x0002 DES_CBC_MD5 0x0003 DES_CBC_RAW 0x0004 DES3_CBC_SHA 0x0005 DES3_CBC_RAW 0x0006 DES_HMAC_SHA1 0x0008 DES3_CBC_SHA1 0x0010 AES128_CTS_HMAC_SHA1_96 0x0011 AES256_CTS_HMAC_SHA1_96 0x0012 ARCFOUR_HMAC 0x0017 ARCFOUR_HMAC_EXP 0x0018 3.18 krbSupportedSaltTypes Holds the list of salt types supported by a realm. Definition: ( IANA-ASSIGNED-OID.4.18 NAME 'krbSupportedSaltTypes' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27) Used In: krbRealmContainer Usage: This contains the list of salt types supported by a realm. Values: List of salt types supported by the Realm. The salt types that are supported are, NORMAL 0 V4 1 NOREALM 2 ONLYREALM 3 Nagarajan Expires November 18, 2005 [Page 16] Internet-Draft Kerberos schema for LDAP May 2005 SPECIAL 4 AFS3 5 3.19 krbDefaultEncType Holds the default encryption type supported by the Realm. Definition: ( IANA-ASSIGNED-OID.4.19 NAME 'krbDefaultEncType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Used In: krbRealmContainer Usage: This contains the default encryption type supported by a realm. Values: An encryption type that is present in the values for krbSupportedEncTypes. 3.20 krbDefaultSaltType Holds the default salt type supported by the Realm. Definition: ( IANA-ASSIGNED-OID.4.20 NAME 'krbDefaultSaltType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Used In: krbRealmContainer Usage: This contains the default salt type supported by a realm. Values: A salt type that is present in the values for krbSupportedSaltTypes. Nagarajan Expires November 18, 2005 [Page 17] Internet-Draft Kerberos schema for LDAP May 2005 3.21 krbHostServer This attribute holds the host name, transport protocol and port for a Kerberos service. Definition: ( IANA-ASSIGNED-OID.4.21 NAME 'krbHostServer' EQUALITY caseExactIA5Match Used In: krbService Usage: This attribute holds the DNS name or the IP address of the server that hosts a Kerberos service (KDC or Administration or Password service) and port at which the service runs. The attribute holds data in the following format, HostName-or-IPAddress#Protocol#Port Where,"#" is a delimiter and Protocol can be 0 or 1. 0 is for UDP. 1 is for TCP. Examples: acme.com#0#88, 164.164.164.164#1#1088 3.22 krbSearchScope Scope for searching principals. Definition: ( IANA-ASSIGNED-OID.4.22 NAME 'krbSearchScope' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Used In: krbRealmContainer Usage: This attribute specifies the LDAP search scope for searching the principals under sub tree specified by the attribute "krbSubTree". Values: ONE (1) or SUBTREE (2). 3.23 krbPrincNamingAttr This attribute specifies which attribute of the user objects be used as the principal name component for Kerberos. This is an alternate Nagarajan Expires November 18, 2005 [Page 18] Internet-Draft Kerberos schema for LDAP May 2005 to "krbPrincipalName" attribute. Definition: ( IANA-ASSIGNED-OID.4.23 NAME 'krbPrincNamingAttr' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE) Used In: krbRealmContainer Usage: This attribute is used to specify an attribute of a user object that must be used to as the principal name component for Kerberos. Values: The value for this attribute can be configured by the administrators. Examples: cn, sn, uid, givenname, fullname, emailaddress. 3.24 krbMaxPwdLife This attribute specifies the maximum lifetime of a principal's password. Definition: ( IANA-ASSIGNED-OID.4.24 NAME 'krbMaxPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Used In: krbPwdPolicy Usage: This attribute is used to specify the maximum lifetime of a principal's password. Values: Maximum lifetime of a principal's password in seconds. 3.25 krbMinPwdLife This attribute specifies the minimum lifetime of a principal's Nagarajan Expires November 18, 2005 [Page 19] Internet-Draft Kerberos schema for LDAP May 2005 password. Definition: ( IANA-ASSIGNED-OID.4.25 NAME 'krbMinPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Used In: krbPwdPolicy Usage: This attribute is used to specify the minimum lifetime of a principal's password. Values: Minimum lifetime of a principal's password in seconds. 3.26 krbPwdMinDiffChars This attribute specifies the minimum number of character clases allowed in a password. Definition: ( IANA-ASSIGNED-OID.4.26 NAME 'krbPwdMinDiffChars' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Used In: krbPwdPolicy Usage: This attribute is used to specify the minimum number of character clases allowed in a password. Values: Minimum number of character clases allowed in a password. 3.27 krbPwdMinLength This attribute specifies the minimum length of the principal password. Nagarajan Expires November 18, 2005 [Page 20] Internet-Draft Kerberos schema for LDAP May 2005 Definition: ( IANA-ASSIGNED-OID.4.27 NAME 'krbPwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Used In: krbPwdPolicy Usage: This attribute is used to specify the minimum length of the principal password. Values: Minimum length of the principal password. 3.28 krbPwdHistoryLength This attribute specifies the number of old passwords that are stored for a principal. Definition: ( IANA-ASSIGNED-OID.4.28 NAME 'krbPwdHistoryLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Used In: krbPwdPolicy Usage: This attribute is used to specify the number of old passwords that are stored for a principal. Values: Number of old passwords that are stored for a principal. 3.29 krbPwdPolicyRefCount This attribute specifies the number of principals that refer to this policy. Nagarajan Expires November 18, 2005 [Page 21] Internet-Draft Kerberos schema for LDAP May 2005 Definition: ( IANA-ASSIGNED-OID.4.29 NAME 'krbPwdPolicyRefCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) Used In: krbPwdPolicy Usage: This attribute is used to specify the number of principals that refer to this policy. Values: Number of principals that refer to this policy. 3.30 krbPwdPolicyReference This attribute stores the DN of a Kerberos password policy object. Definition: ( IANA-ASSIGNED-OID.4.30 NAME 'krbPwdPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE) Used In: krbPwdPolicyRefAux Usage: DN of a Kerberos password policy object. Values: DN of a valid Kerberos password policy object. Nagarajan Expires November 18, 2005 [Page 22] Internet-Draft Kerberos schema for LDAP May 2005 4. Object Class Definitions As the OIDs for the object classes in this document have not been assigned, IANA-ASSIGNED-OID has been used as a placeholder until real OIDs are assigned. 4.1 krbContainer The krbContainer class defines a container object. This container contains only the realm objects. This is a container for all the realm container objects in a tree so that locating a realm is easy. Definition: ( IANA-ASSIGNED-OID.6.1 NAME 'krbContainer' SUP top MUST ( cn ) MAY ( krbPolicyReference)) Naming Attribute: cn Containment: organization, organizationalunit, country, locality, domain 4.2 krbRealmContainer The krbRealmContainer object contains the realm name and related realm information for Kerberos authentication and administration servers to process requests. For each realm there exists only one realm container object. Definition: ( IANA-ASSIGNED-OID.6.2 NAME 'krbRealmContainer' SUP top MUST ( cn ) MAY ( krbUPEnabled $ krbSubTree $ krbSearchScope $ krbLdapServers $ krbSupportedEncTypes $ krbSupportedSaltTypes $ krbDefaultEncType $ krbDefaultSaltType $ krbPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr )) Naming Attribute: cn Nagarajan Expires November 18, 2005 [Page 23] Internet-Draft Kerberos schema for LDAP May 2005 Containment: krbRealmContainer 4.3 krbService krbService class is an abstract class and serves as a super class for krbKdcService, krbAdmService and krbPwdService. An instance of a class derived from krbService is created per Kerberos authentication or administration server or password server in a realm and holds the references to the realm objects. These references are used to further read realm specific data to service AS/TGS requests. Additionally this object contains some server specific data like pathnames and ports that the server uses. This is the identity the Kerberos server logs in with. krbKdcService and krbPwdService all derive from this class. Definition: ( IANA-ASSIGNED-OID.6.3 NAME 'krbService' ABSTRACT SUP ( top $ Server $ ndsLoginProperties ) MUST ( cn ) MAY ( krbHostServer $ krbServiceFlags $ krbRealmReferences )) Naming Attribute: cn Containment: organization, organizationalunit, country, locality, domain, krbRealmContainer 4.4 krbKdcService Object of this class serves as the representative object for the KDC to log into an LDAP directory and have a connection Id to access Kerberos data with the required access rights. krbKdcService class is derived from krbService class. Definition: ( IANA-ASSIGNED-OID.6.4 NAME 'krbKdcService' SUP ( krbService )) Nagarajan Expires November 18, 2005 [Page 24] Internet-Draft Kerberos schema for LDAP May 2005 4.5 krbAdmService Object of this class serves as the representative object for the administration service to log into an LDAP directory and have a connection Id to access Kerberos data with the required access rights. krbAdmService class is derived from krbService class. Definition: ( IANA-ASSIGNED-OID.6.5 NAME 'krbAdmService' SUP ( krbService )) 4.6 krbPwdService Object of this class serves as the representative object for the Kerberos change password server to log into an LDAP directory and have a connection Id to access Kerberos data with the required access rights. krbPwdService class is derived from krbService class. Definition: ( IANA-ASSIGNED-OID.6.6 NAME 'krbPwdService' SUP ( krbService )) 4.7 krbPolicyAux The krbPolicyAux class holds policy data that is relevant to a principal. This class is an auxiliary class as this can form a policy object or be associated with a Principal or krbRealmContainer or krbContainer. Definition: ( IANA-ASSIGNED-OID.6.7 NAME 'krbPolicyAux' AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge )) 4.8 krbPolicy Policy objects represent the effective ticket policy for Kerberos principals. Policy objects can be associated with krbRealmContainer or krbContainer or Principals. krbPolicy objects will always be created Nagarajan Expires November 18, 2005 [Page 25] Internet-Draft Kerberos schema for LDAP May 2005 with krbPolicyAux. Definition: ( IANA-ASSIGNED-OID.6.8 NAME 'krbPolicy' SUP top MUST ( cn )) Naming Attribute: cn Containment: organization, organizationalunit, country, locality, domain 4.9 krbPrincipalAux The principal auxiliary class contains attributes that are used to store principal related data. This class is defined as an auxiliary class so that other class of objects (User, krbPrincipal, etc) can extend their class definitions to add principal data. Typically user, person objects would be extended with the principal class to store Kerberos related data. If a user object belongs to multiple realms then except the krbPrincipalName and krbSecretKey attributes, other attribute values will be same for all realms. Definition: ( IANA-ASSIGNED-OID.6.9 NAME 'krbPrincipalAux' AUXILIARY MAY ( krbPrincipalName $ krbUPEnabled $ krbSecretKey $ krbPolicyReference $ krbPrincipalExpiration)) 4.10 krbPrincipal The krbPrincipal class is used to create Kerberos principals of the type other than User. krbPrincipal objects will be created with krbPrincipalAux and optionally with krbPolicyAux. Definition: ( IANA-ASSIGNED-OID.6.10 NAME 'krbPrincipal' SUP ( top ) MUST ( krbPrincipalName ) MAY ( krbPrincipalType )) Nagarajan Expires November 18, 2005 [Page 26] Internet-Draft Kerberos schema for LDAP May 2005 Naming Attribute: krbPrincipalName Containment: organization, organizationalunit, country, locality, domain, krbRealmContainer 4.11 krbPwdPolicy The krbPwdPolicy object is a template password policy that can be applied to principals when they are created. These policy attributes will be in effect, when the Kerberos passwords are different from users' passwords (UP). Definition: ( IANA-ASSIGNED-OID.6.11 NAME 'krbPwdPolicy' SUP ( top ) MUST ( cn ) MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdPolicyRefCount )) Naming Attribute: cn Containment: organization, organizationalunit, country, locality, domain 4.12 krbPwdPolicyRefAux This class contains attributes that are used to store data related to principals in a realm that is served by a foreign KDC. This class can be attached to User objects. Definition: ( IANA-ASSIGNED-OID.6.12 NAME 'krbPwdPolicyRefAux' AUXILIARY MAY krbPwdPolicyReference )) Nagarajan Expires November 18, 2005 [Page 27] Internet-Draft Kerberos schema for LDAP May 2005 5. IANA Considerations Refer to RFC 3383, "Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)" [RFC3383]. 5.1 Object Identifier Registration It is requested that the IANA register upon Informational Action an LDAP Object Identifier for use in this technical specification according to the following template: Subject: Request for LDAP OID Registration Person & email address to contact for further information: Rajasekaran Nagarajan (rnagarajan@novell.com) Specification: RFC XXXX Author/Change Controller: IESG Comments: The assigned OID will be used as a base for identifying a number of Kerberos schema elements defined in this document. 5.2 Object Identifier Descriptors It is requested that the IANA register upon Informational Action the LDAP Descriptors used in this technical specification as detailed in the following template: Subject: Request for LDAP Descriptor Registration Update Descriptor (short name): see table Object Identifier: see table Person & email address to contact for further information: Rajasekaran Nagarajan (rnagarajan@novell.com) Nagarajan Expires November 18, 2005 [Page 28] Internet-Draft Kerberos schema for LDAP May 2005 Usage: see table Specification: RFC XXXX Author/Change Controller: IESG Table: The following descriptors have been added: NAME Type OID -------------- ---- ------------ krbPrincipalName A IANA-ASSIGNED-OID.4.1 krbPrincipalType A IANA-ASSIGNED-OID.4.2 krbSecretKey A IANA-ASSIGNED-OID.4.3 krbUPEnabled A IANA-ASSIGNED-OID.4.4 krbPrincipalExpiration A IANA-ASSIGNED-OID.4.5 krbPolicyReference A IANA-ASSIGNED-OID.4.6 krbTicketFlags A IANA-ASSIGNED-OID.4.7 krbMaxTicketLife A IANA-ASSIGNED-OID.4.8 krbMaxRenewableAge A IANA-ASSIGNED-OID.4.9 krbServiceFlags A IANA-ASSIGNED-OID.4.10 krbRealmReferences A IANA-ASSIGNED-OID.4.11 krbLdapServers A IANA-ASSIGNED-OID.4.12 krbSubTree A IANA-ASSIGNED-OID.4.13 krbKdcServers A IANA-ASSIGNED-OID.4.14 krbAdmServers A IANA-ASSIGNED-OID.4.15 krbPwdServers A IANA-ASSIGNED-OID.4.16 krbSupportedEncTypes A IANA-ASSIGNED-OID.4.17 krbSupportedSaltTypes A IANA-ASSIGNED-OID.4.18 krbDefaultEncType A IANA-ASSIGNED-OID.4.19 krbDefaultSaltType A IANA-ASSIGNED-OID.4.20 krbHostServer A IANA-ASSIGNED-OID.4.21 krbSearchScope A IANA-ASSIGNED-OID.4.22 krbPrincNamingAttr A IANA-ASSIGNED-OID.4.23 krbMaxPwdLife A IANA-ASSIGNED-OID.4.24 krbMinPwdLife A IANA-ASSIGNED-OID.4.25 krbPwdMinDiffChars A IANA-ASSIGNED-OID.4.26 krbPwdMinLength A IANA-ASSIGNED-OID.4.27 krbPwdHistoryLength A IANA-ASSIGNED-OID.4.28 krbPwdPolicyRefCount A IANA-ASSIGNED-OID.4.29 krbPwdPolicyReference A IANA-ASSIGNED-OID.4.30 krbContainer O IANA-ASSIGNED-OID.6.1 krbRealmContainer O IANA-ASSIGNED-OID.6.2 krbService O IANA-ASSIGNED-OID.6.3 krbKdcService O IANA-ASSIGNED-OID.6.4 Nagarajan Expires November 18, 2005 [Page 29] Internet-Draft Kerberos schema for LDAP May 2005 krbAdmService O IANA-ASSIGNED-OID.6.5 krbPwdService O IANA-ASSIGNED-OID.6.6 krbPolicyAux O IANA-ASSIGNED-OID.6.7 krbPolicy O IANA-ASSIGNED-OID.6.8 krbPrincipalAux O IANA-ASSIGNED-OID.6.9 krbPrincipal O IANA-ASSIGNED-OID.6.10 krbPwdPolicy O IANA-ASSIGNED-OID.6.11 krbPwdPolicyRefAux O IANA-ASSIGNED-OID.6.12 where Type A is Attribute, Type O is ObjectClass Upon Informational Action these assignments will be recorded in the following registry: http://www.iana.org/assignments/ldap-parameters Nagarajan Expires November 18, 2005 [Page 30] Internet-Draft Kerberos schema for LDAP May 2005 6. Security Considerations The storage of Kerbreos data in an LDAP directory enables the examination of the data outside the environment in which it is supposed to be created and used. The Kerberos 5 protocol relies on the security of the keys stored in the KDC database. Hence the Kerberos data in the directory must be protected both while the storage and transmission. This document assumes that the channel over which the keys are accessed from the directory MUST be secured and the updates to these keys are to be restricted with a well defined administrative interfaces. The data stored in the directory MUST be protected with appropriate acecss rights using the access control mechanisms of the directory. Access control mechanisms are beyond the scope of this document. Moreover, if the data is replicated over multiple directory instances, the replication channel MUST also be secured. 7. References [RFC1510] John Kohl and Clifford Neuman, "The Kerberos Network Authentication Service (V5)", RFC 1510, September 1993. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3383] Kurt D. Zeilenga, "Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)", RFC 3383, September 2002. [RFC3961] Kenneth Raeburn, "Encryption and Checksum Specifications for Kerberos 5", RFC 3961, February 2005. [draft-ietf-krb-wg-kerberos-clarifications-07] Clifford Neuman, Tom Yu, Sam Hartman, and Kenneth Raeburn, "The Kerberos Network Authentication Service (V5)", ID draft-ietf-krb-wg-kerberos-clarifications-07, September 1993. [draft-johansson-kerberos-model-01] Leif Johansson, "An information model for Kerberos version 5", ID draft-johansson-kerberos-model-01, July 2004. Nagarajan Expires November 18, 2005 [Page 31] Internet-Draft Kerberos schema for LDAP May 2005 Author's Address Rajasekaran Nagarajan Novell, Inc. 49/1 and 49/3 Garvebhavipalya 7th Mile, Hosur Road Bangalore, Karnataka 560068 IN Phone: +11 91 80 25731856 Email: rnagarajan@novell.com Nagarajan Expires November 18, 2005 [Page 32] Internet-Draft Kerberos schema for LDAP May 2005 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Nagarajan Expires November 18, 2005 [Page 33]