| blob | 333ccb064196904fe82f3d5a4e76c150e0b89137 |
1 -- $Id$
2 HDB DEFINITIONS ::=
3 BEGIN
5 IMPORTS EncryptionKey, KerberosTime, Principal FROM krb5;
7 HDB_DB_FORMAT INTEGER ::= 2 -- format of database,
8 -- update when making changes
10 -- these must have the same value as the pa-* counterparts
11 hdb-pw-salt INTEGER ::= 3
12 hdb-afs3-salt INTEGER ::= 10
14 Salt ::= SEQUENCE {
15 type[0] INTEGER (0..4294967295),
16 salt[1] OCTET STRING,
17 opaque[2] OCTET STRING OPTIONAL
18 }
20 Key ::= SEQUENCE {
21 mkvno[0] INTEGER (0..4294967295) OPTIONAL, -- master key version number
22 key[1] EncryptionKey,
23 salt[2] Salt OPTIONAL
24 }
26 Event ::= SEQUENCE {
27 time[0] KerberosTime,
28 principal[1] Principal OPTIONAL
29 }
31 HDBFlags ::= BIT STRING {
32 initial(0), -- require as-req
33 forwardable(1), -- may issue forwardable
34 proxiable(2), -- may issue proxiable
35 renewable(3), -- may issue renewable
36 postdate(4), -- may issue postdatable
37 server(5), -- may be server
38 client(6), -- may be client
39 invalid(7), -- entry is invalid
40 require-preauth(8), -- must use preauth
41 change-pw(9), -- change password service
42 require-hwauth(10), -- must use hwauth
43 ok-as-delegate(11), -- as in TicketFlags
44 user-to-user(12), -- may use user-to-user auth
45 immutable(13), -- may not be deleted
46 trusted-for-delegation(14), -- Trusted to print forwardabled tickets
47 allow-kerberos4(15), -- Allow Kerberos 4 requests
48 allow-digest(16), -- Allow digest requests
49 locked-out(17), -- Account is locked out,
50 -- authentication will be denied
51 require-pwchange(18), -- require a passwd change
52 do-not-store(31) -- Not to be modified and stored in HDB
53 }
55 GENERATION ::= SEQUENCE {
56 time[0] KerberosTime, -- timestamp
57 usec[1] INTEGER (0..4294967295), -- microseconds
58 gen[2] INTEGER (0..4294967295) -- generation number
59 }
61 HDB-Ext-PKINIT-acl ::= SEQUENCE OF SEQUENCE {
62 subject[0] UTF8String,
63 issuer[1] UTF8String OPTIONAL,
64 anchor[2] UTF8String OPTIONAL
65 }
67 HDB-Ext-PKINIT-hash ::= SEQUENCE OF SEQUENCE {
68 digest-type[0] OBJECT IDENTIFIER,
69 digest[1] OCTET STRING
70 }
72 HDB-Ext-PKINIT-cert ::= SEQUENCE OF SEQUENCE {
73 cert[0] OCTET STRING
74 }
76 HDB-Ext-Constrained-delegation-acl ::= SEQUENCE OF Principal
78 -- hdb-ext-referrals ::= PA-SERVER-REFERRAL-DATA
80 HDB-Ext-Lan-Manager-OWF ::= OCTET STRING
82 HDB-Ext-Password ::= SEQUENCE {
83 mkvno[0] INTEGER (0..4294967295) OPTIONAL, -- master key version number
84 password OCTET STRING
85 }
87 HDB-Ext-Aliases ::= SEQUENCE {
88 case-insensitive[0] BOOLEAN, -- case insensitive name allowed
89 aliases[1] SEQUENCE OF Principal -- all names, inc primary
90 }
92 Keys ::= SEQUENCE OF Key
94 hdb_keyset ::= SEQUENCE {
95 kvno[0] INTEGER (0..4294967295),
96 keys[1] Keys,
97 set-time[2] KerberosTime OPTIONAL, -- time this keyset was created/set
98 ...
99 }
101 HDB-Ext-KeySet ::= SEQUENCE OF hdb_keyset
104 HDB-extension ::= SEQUENCE {
105 mandatory[0] BOOLEAN, -- kdc MUST understand this extension,
106 -- if not the whole entry must
107 -- be rejected
108 data[1] CHOICE {
109 pkinit-acl[0] HDB-Ext-PKINIT-acl,
110 pkinit-cert-hash[1] HDB-Ext-PKINIT-hash,
111 allowed-to-delegate-to[2] HDB-Ext-Constrained-delegation-acl,
112 -- referral-info[3] HDB-Ext-Referrals,
113 lm-owf[4] HDB-Ext-Lan-Manager-OWF,
114 password[5] HDB-Ext-Password,
115 aliases[6] HDB-Ext-Aliases,
116 last-pw-change[7] KerberosTime,
117 pkinit-cert[8] HDB-Ext-PKINIT-cert,
118 hist-keys[9] HDB-Ext-KeySet,
119 hist-kvno-diff-clnt[10] INTEGER (0..4294967295),
120 hist-kvno-diff-svc[11] INTEGER (0..4294967295),
121 policy[12] UTF8String,
122 principal-id[13] INTEGER(-9223372036854775808..9223372036854775807),
123 ...
124 },
125 ...
126 }
128 HDB-extensions ::= SEQUENCE OF HDB-extension
130 hdb_entry ::= SEQUENCE {
131 principal[0] Principal OPTIONAL, -- this is optional only
132 -- for compatibility with libkrb5
133 kvno[1] INTEGER (0..4294967295),
134 keys[2] Keys,
135 created-by[3] Event,
136 modified-by[4] Event OPTIONAL,
137 valid-start[5] KerberosTime OPTIONAL,
138 valid-end[6] KerberosTime OPTIONAL,
139 pw-end[7] KerberosTime OPTIONAL,
140 max-life[8] INTEGER (0..4294967295) OPTIONAL,
141 max-renew[9] INTEGER (0..4294967295) OPTIONAL,
142 flags[10] HDBFlags,
143 etypes[11] SEQUENCE OF INTEGER (0..4294967295) OPTIONAL,
144 generation[12] GENERATION OPTIONAL,
145 extensions[13] HDB-extensions OPTIONAL
146 }
148 hdb_entry_alias ::= [APPLICATION 0] SEQUENCE {
149 principal[0] Principal OPTIONAL
150 }
152 END