5 IMPORTS EncryptionKey, KerberosTime, Principal FROM krb5;
7 HDB_DB_FORMAT INTEGER ::= 2 -- format of database,
8 -- update when making changes
10 -- these must have the same value as the pa-* counterparts
11 hdb-pw-salt INTEGER ::= 3
12 hdb-afs3-salt INTEGER ::= 10
15 type[0] INTEGER (0..4294967295),
20 mkvno[0] INTEGER (0..4294967295) OPTIONAL, -- master key version number
27 principal[1] Principal OPTIONAL
30 HDBFlags ::= BIT STRING {
31 initial(0), -- require as-req
32 forwardable(1), -- may issue forwardable
33 proxiable(2), -- may issue proxiable
34 renewable(3), -- may issue renewable
35 postdate(4), -- may issue postdatable
36 server(5), -- may be server
37 client(6), -- may be client
38 invalid(7), -- entry is invalid
39 require-preauth(8), -- must use preauth
40 change-pw(9), -- change password service
41 require-hwauth(10), -- must use hwauth
42 ok-as-delegate(11), -- as in TicketFlags
43 user-to-user(12), -- may use user-to-user auth
44 immutable(13), -- may not be deleted
45 trusted-for-delegation(14), -- Trusted to print forwardabled tickets
46 allow-kerberos4(15), -- Allow Kerberos 4 requests
47 allow-digest(16) -- Allow digest requests
50 GENERATION ::= SEQUENCE {
51 time[0] KerberosTime, -- timestamp
52 usec[1] INTEGER (0..4294967295), -- microseconds
53 gen[2] INTEGER (0..4294967295) -- generation number
56 HDB-Ext-PKINIT-acl ::= SEQUENCE OF SEQUENCE {
57 subject[0] UTF8String,
58 issuer[1] UTF8String OPTIONAL,
59 anchor[2] UTF8String OPTIONAL
62 HDB-Ext-PKINIT-hash ::= SEQUENCE OF SEQUENCE {
63 digest-type[0] OBJECT IDENTIFIER,
64 digest[1] OCTET STRING
67 HDB-Ext-Constrained-delegation-acl ::= SEQUENCE OF Principal
69 -- hdb-ext-referrals ::= PA-SERVER-REFERRAL-DATA
71 HDB-Ext-Lan-Manager-OWF ::= OCTET STRING
73 HDB-Ext-Password ::= SEQUENCE {
74 mkvno[0] INTEGER (0..4294967295) OPTIONAL, -- master key version number
78 HDB-Ext-Aliases ::= SEQUENCE {
79 case-insensitive[0] BOOLEAN, -- case insensitive name allowed
80 aliases[1] SEQUENCE OF Principal -- all names, inc primary
84 HDB-extension ::= SEQUENCE {
85 mandatory[0] BOOLEAN, -- kdc MUST understand this extension,
86 -- if not the whole entry must
89 pkinit-acl[0] HDB-Ext-PKINIT-acl,
90 pkinit-cert-hash[1] HDB-Ext-PKINIT-hash,
91 allowed-to-delegate-to[2] HDB-Ext-Constrained-delegation-acl,
92 -- referral-info[3] HDB-Ext-Referrals,
93 lm-owf[4] HDB-Ext-Lan-Manager-OWF,
94 password[5] HDB-Ext-Password,
95 aliases[6] HDB-Ext-Aliases,
96 last-pw-change[7] KerberosTime,
102 HDB-extensions ::= SEQUENCE OF HDB-extension
105 hdb_entry ::= SEQUENCE {
106 principal[0] Principal OPTIONAL, -- this is optional only
107 -- for compatibility with libkrb5
108 kvno[1] INTEGER (0..4294967295),
109 keys[2] SEQUENCE OF Key,
111 modified-by[4] Event OPTIONAL,
112 valid-start[5] KerberosTime OPTIONAL,
113 valid-end[6] KerberosTime OPTIONAL,
114 pw-end[7] KerberosTime OPTIONAL,
115 max-life[8] INTEGER (0..4294967295) OPTIONAL,
116 max-renew[9] INTEGER (0..4294967295) OPTIONAL,
118 etypes[11] SEQUENCE OF INTEGER (0..4294967295) OPTIONAL,
119 generation[12] GENERATION OPTIONAL,
120 extensions[13] HDB-extensions OPTIONAL
123 hdb_entry_alias ::= [APPLICATION 0] SEQUENCE {
124 principal[0] Principal OPTIONAL