1 INTERNET-DRAFT Donna Skibbie
2 Kerberos Working Group IBM
3 Intended Category: Standards Track 10 November 2000
8 Kerberos KDC LDAP Schema
9 draft-skibbie-krb-kdc-ldap-schema-00.txt
13 1. Status Of This Memo
15 This document is an Internet-Draft and is in full conformance
16 with all provisions of Section 10 of RFC 2026 [1].
18 Internet-Drafts are working documents of the Internet Engineering
19 Task Force (IETF), its areas, and its working groups. Note that
20 other groups may also distribute working documents as Internet-
23 Internet-Drafts are draft documents valid for a maximum of six
24 months and may be updated, replaced, or obsoleted by other
25 documents at any time. It is inappropriate to use Internet-
26 Drafts as reference material or to cite them other than as "work
29 The list of current Internet-Drafts can be accessed at
30 http://www.ietf.org/ietf/1id-abstracts.txt
32 The list of Internet-Draft Shadow Directories can be accessed at
33 http://www.ietf.org/shadow.html.
39 This document defines a schema for storing attributes used by the
40 MIT implementation of Kerberos Version 5 Key Distribution Center
41 (KDC) service in a directory that implements the Lightweight
42 Directory Access Protocol (LDAP) Version 3. The directory must
43 implement the LDAP Version 3 protocol as defined in RFC 2251 [2],
44 RFC 2252 [3], RFC 2253 [4], and RFC 2256 [5]. The schema defined
45 in this document is referred to as the "KDC LDAP schema."
47 The KDC LDAP schema includes definitions for the following
50 * Attributes defining a realm--These attributes map to
51 attributes defined in the KDC.conf file of the MIT
54 * Attributes defining principals--These attributes map to
55 attributes defined in RFC 1510 [6] and the principal and
56 administration databases of the MIT implementation.
58 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
59 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
60 document are to be interpreted as described in RFC 2119 [6].
64 The KDC LDAP schema is designed to meet five objectives. The
65 first objective is to use LDAP schema definitions defined in RFC
66 2252 and RFC 2256. The second objective is to use LDAP schema
67 definitions defined in existing LDAP implementations. The third
68 objective is to provide a way of sharing common security
69 attributes, such as password policy attributes, with non-Kerberos
70 applications. The fourth objective is to provide a way of
71 protecting keys and other sensitive information. The fifth
72 objective is to promote inter-operability between different
73 implementations of the Kerberos KDC.
75 The following figure illustrates the KDC LDAP schema:
77 :------------------: ------------:
78 ----------- : KrbRealm, : : Any Entry :
79 :Any Entry:<------: KrbRealmExt, :------->: with :
80 : : n 1: and KrbPolicy : 1 1 : KrbPolicy :
81 ----------- : : : (optional):
82 1: :------------------: -------------
87 : : KrbMstrKey : master key value
88 : : (optional) :------->optionally can be
89 : :----------------: stored in any URL
94 ------------------ ------------:
95 : Any Entry : : Any Entry :
97 : KrbPrincipal :-------------------------->: KrbPolicy :
98 : and KrbPolicy : : (optional):
99 ------------------ -------------
103 :----------: :------------:
104 : KrbLog : : KrbKey :
106 :----------: :------------:
112 The attributes defining a realm are included in the KrbRealm
113 structural object class and the KrbRealmExt auxiliary object
114 class. These attributes must be stored in an entry that is
115 referred to as the "realm entry." The RDN of the realm entry must
116 be "krbRealmName=<realm_name>", where realm name is the name of
117 the realm. The following attributes are required:
119 * krbRealmName--The name of the realm
121 * krbPrincSubTree--The DN of each entry representing a sub-tree
122 under which principals in the realm reside
124 * krbKdcServiceObject--The DN of each entry representing a KDC
125 service in the realm.
127 The following is an example of a realm entry:
129 DN: krbRealmName=PAYROLL, ou=Austin
130 objectclass: KrbRealm
131 krbRealmName: Payroll
132 krbPrincSubTree: cn=users, ou=Austin
133 objectclass: KrbRealmExt
134 krbKdcServiceObject: serviceName=serverA, dc=payroll, ou=Austin
135 krbKdcServiceObject: serviceName=serverB, dc=payroll, ou=Austin
136 <additional KrbRealmExt attributes>
140 3.2 Realm Policy Attributes
142 The attributes defining the policy for the realm are included in
143 the KrbPolicy auxiliary object class. These attributes must be
144 stored in the realm entry, an entry referenced by the
145 krbPolicyObject attribute of the realm entry, or both entries.
146 If the same policy attribute is stored in both entries, the
147 policy attribute in the realm entry takes precedence.
149 The following is an example with the policy attributes configured
152 DN: krbRealmName=PAYROLL, ou=Austin
153 objectclass: KrbRealm
154 objectclass: KrbRealmExt
155 <KrbRealm and KrbRealmExt attributes>
156 objectclass: KrbPolicy
157 <KrbPolicy attributes>
159 The following is an example with the policy attributes configured
160 in a referenced entry:
162 DN: krbRealmName=PAYROLL, ou=Austin
163 objectclass: KrbRealm
164 objectclass: KrbRealmExt
165 <KrbRealm and KrbRealmExt attributes>
166 krbPolicyObject: cn=MyPolicy, ou=Austin
168 DN: cn=MyPolicy, ou=Austin
169 objectclass: PasswordPolicy
170 <PasswordPolicy attributes>
171 objectclass: KrbPolicy
172 <KrbPolicy attributes>
175 3.3 Master Key (KrbMstrKey) Entries (Optional)
177 The schema provides an optional way of configuring master key
178 attributes in LDAP. To use this optional configuration, the
179 krbMstrKeyCfg attributes needs to be configured in the realm
180 entry with the value KRBMSTRKEY.
182 The attributes defining each master key in the realm are included
183 in the KrbMstrKey structural object class. If the realm is
184 configured for KRBMSTRKEY, the master key attributes for each
185 master key must be stored in a master key entry that resides
186 directly below the realm entry. The RDN of this entry must
187 include the string "krbKeyVersion=<version>", where <version> is
188 the version of the master key. The RDN also can include
189 additional strings if this is required to uniquely identify the
190 master key entry (or example, "krbKeyVersion=1
191 krbKDCServiceName=serverA").
193 The following attributes are required:
195 * either the master key value (krbKeyValue) or the URL address
196 where the master key is stored (krbKeyRef)
197 * the encryption type of the master key (krbEncType)
198 * the key version configured in the required RDN (krbKeyVersion)
200 The following is an example of a realm configured for KRBMSTRKEY.
201 In this example, the realm contains one master key entry, which
202 is shared by all the KDC services in the realm. The master key
203 value is stored in a private file accessible by all the KDC
204 services in the realm.
206 DN: krbKeyVersion=1, krbRealmName=PAYROLL, ou=Austin
207 objectclass: KrbMstrKey
210 krbKeyRef: FILE://private/mstrkey
213 3.4 Principal Entries
215 The attributes defining each principal in the realm are included
216 in the KrbPrincipal auxiliary object class. These attributes can
217 be stored in any entry that meets the following requirements:
219 * The entry must reside under a sub-tree listed in the
220 krbPrincSubTree attribute of the entry representing the realm in
221 which the principal will reside
223 * The entry must not already be configured to represent a
226 The entry where the KrbPrincipal attributes are stored is
227 referred to as a "principal entry." A principal entry must
228 contain the krbPrincipalName attribute. This attribute contains
229 the Kerberos identity of the principal in the format
230 "<principal>@<realm>", where <principal> is the name of the
231 principal and <realm> is the name of the realm. The Kerberos
232 principal identity must be unique within the realm.
234 The following figure is an example of a person entry configured
235 as a principal entry:
237 DN: cn=Alice Smith, cn=users, ou=Austin
240 <additional Person attributes>
241 objectclass: KrbPrincipal
242 krbPrincipalName: alice@PAYROLL
243 <additional KrbPrincipal attributes>
247 3.5 Principals Associated with Other Entries (Optional)
249 The schema provides an optional way of associating a principal
250 entry with another entry through the use of aliases. This
251 association is ignored by the KDC, but can be used by higher-
252 level applications to associate a principal with a target entry
253 and to verify that the target entry accepts this association.
255 There are several reasons why it might be necessary to configure
256 alias associations. One reason is to allow an entry already
257 configured with a principal identity to be associated with other
258 principal identities. Another reason is to allow an entry
259 configured in a remote part of the directory to be associated
260 with a principal identity configured in a local part of the
261 directory. A third reason is to allow an entry configured in a
262 less secure part of the directory to be associated with a
263 principal identity configured in more secure part of the
266 The association is configured by doing both of the following:
268 * adding the krbAliasedObjectName attribute from the KrbAlias
269 auxiliary object class to the principal entry and configuring
270 krbAliasedObjectName to reference the target entry
272 * adding krbHintAliases attribute from the KrbAlias auxiliary
273 object class to the target entry and configuring krbHintAliases
274 attribute to reference the principal entry.
276 The following is an example in which the Alice Smith person
277 entry, which already is configured as the principal identity of
278 alice@PAYROLL, is associated with a second principal identity of
281 DN: cn=Alice Smith, cn=users, ou=Austin
284 <additional Person attributes>
285 objectclass: KrbPrincipal
286 krbPrincipalName: alice@PAYROLL
287 <additional KrbPrincipal attributes>
288 objectclass: KrbAlias
289 krbHintAliases: cn=alice@PURCHASING, krbRealmName=PURCHASING,
292 DN: cn=alice@PURCHASING, krbRealmName=PURCHASING, ou=Austin
296 objectclass: KrbPrincipal
297 krbPrincipalName: alice@PURCHASING
298 <additional KrbPrincipal attributes>
299 objectclass: KrbAlias
300 krbAliasedObjectName: cn=Alice Smith, cn=users, ou=Austin
302 The following is an example of an association between a principal
303 entry for bob@PAYROLL and a person entry for Bob Jones that
304 exists in a remote part of the directory:
306 DN: cn=bob@PAYROLL, cn=users, ou=Austin
310 objectclass: KrbPrincipal
311 krbPrincipalName: bob@PAYROLL
312 <additional KrbPrincipal attributes>
313 objectclass: KrbAlias
314 krbAliasedObjectName: cn=Bob Jones, ou=Raleigh
316 DN: cn=Bob Jones, ou=Raleigh
319 <additional Person attributes>
320 objectclass: KrbAlias
321 krbHintAliases: cn=bob@PAYROLL, cn=users, ou=Austin
324 3.6 Principal Policy Attributes
326 The attributes defining the policy for the principal are included
327 in the KrbPolicy auxiliary object class. These attributes must
328 be stored in the principal entry, an entry referenced by the
329 krbPolicyObject of the principal entry, or both entries. If the
330 same policy attribute is stored in both entries, the policy
331 attribute in the principal entry takes precedence.
335 3.7 Principal Key (KrbKey) Entries (Optional)
337 The attributes defining each secret key associated with a
338 principal are included in the KrbKey structural object class. If
339 a principal uses the default method of storing secret keys, the
340 attributes defining each secret key associated with the principal
341 must be stored in a KrbKey entry that resides directly under the
342 principal entry. The RDN of this entry must include the string
343 "krbKeyVersion=<version>", where <version> is the version of the
344 key. The RDN also can include additional strings if this is
345 required to uniquely identity the KrbKey entry (for example,
346 "krbkeyVersion=1, krbEncType=1, krbSaltType=0).
348 The following attributes are required:
350 * the version of the key included in the required RDN
353 * the key value (krbKeyValue), which must be encrypted with a
356 * the encryption type of the key (krbEncType)
358 * the version of the master key used to encrypted the key value
361 The creator of a KrbKey entry must be a trusted DN (a DN that is
362 listed in either the krbKdcServiceObject, krbPwdServiceObject or
363 krbTrustedAdmObject attribute of the realm entry). The trusted
364 DN is responsible for doing the following:
366 1. Get a secret password or a sequence of secret keys from the
369 2. If a secret password is supplied, use a string-to-key
370 algorithm to generate a secret key for each supported key type.
371 The string-to-key algorithm must be consistent with the string-
372 to-key algorithm described in RFC 1510, taking into consideration
373 the salt type of the key type.
375 3. If a sequence of secret keys is supplied, verify that each
376 key type is supported.
378 4. Encrypt each secret key with each master key that is of the
379 same encryption type (or have one or more KDC services do this).
381 5. Create a KrbKey entry for each encrypted secret key. Store
382 the encrypted secret key in the KrbKey entry along with
383 information required to generate the encrypted secret key from a
386 As an alternative to the default method of storing secret keys, a
387 principal can be configured to use a USERPASSWORD or PROPRIETARY
388 method of storing secret keys. This is configured by adding the
389 krbSecretKeyCfg attribute to the principal entry and configuring
390 this attribute with a value of USERPASSWORD or PROPRIETARY. If a
391 principal is configured for USERPASSWORD, the secret key of the
392 principal is the password of the principal and this password is
393 stored in the the userPassword attribute of the principal entry.
394 If the principal is configured for PROPRIETARY, the secret key or
395 keys of the principal is stored in a proprietary database not
396 defined in the KDC LDAP schema.
398 The following is an example of a configuration that uses the
399 default method of storing secret keys. In this example, four
400 KrbKey entries are configured for a single principal, each having
401 a different set of encryption and salt types:
403 DN: krbEncType=1 krbSaltType=0, cn=Alice Smith, cn=users,
409 krbKeyValue: <encrypted key>
411 krbSaltValue: <salt value>
413 DN: krbEncType=1 krbSaltType=1, cn=Alice Smith, cn=users,
419 krbKeyValue: <encrypted key>
421 krbSaltValue: <salt value>
423 DN: krbEncType=5 krbSaltType=0, cn=Alice Smith, cn=users,
429 krbKeyValue: <encrypted key>
431 krbSaltValue: <salt value>
433 DN: krbEncType=5 krbSaltType=1, cn=Alice Smith, cn=users,
439 krbKeyValue: <encrypted key>
441 krbSaltValue: <salt value>
444 3.8 Principal Log (KrbLog) Entries
446 The attributes defining a login activity record for a principal
447 are included in the KrbLog structural object class. These
448 attributes must be stored in the KrbLog entry that resides
449 directly below the principal entry. The RDN of this entry must
450 be "cn=KrbLog". The creator of this entry must be a DN that
451 represents a KDC service in the realm (a DN listed in the
452 krbKdcServiceObject attribute of the realm entry)
454 The following is an example of a KrbLog entry.
456 DN: cn=KrbLog, cn=Alice Smith, cn=users, ou=Austin
464 The KDC LDAP schema uses the following syntaxes in attribute type
467 * Syntaxes listed in RFC 2252
469 * The interval syntax
471 The interval syntax is defined in the Microsoft Active Directory
472 schema. The definition is as follows:
475 1.2.840.113556.1.4.906
477 DESC 'Large integer. Use for 64-bit values.
484 The KDC LDAP schema uses the attribute types listed in this
485 section and RFC 2256.
489 5.1 New Attribute Types
494 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 (DN)
496 DESC 'The location of an ACL database for a Kerberos
497 administration services, The location must be specified as in
498 URL format; i.e., FILE://path/filename.'
503 krbAdmKeyLocation-oid
504 NAME 'krbAdmKeyLocation'
505 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 (DN)
507 DESC 'The location of a keytab file containing the key used by
508 the Kerberos administration services, The location must be
509 specified as in URL format; i.e., FILE://path/filename.'
514 krbAdmServiceObject-oid
515 NAME 'krbAdmServiceObject'
516 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 (DN)
517 DESC 'A set of references to entries, with each entry
518 representing a Kerberos administration service in the realm.'
523 krbAliasedObjectName-oid
524 NAME 'krbAliasedObjectName'
525 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 (DN)
527 DESC 'Forward reference to the entry for which this entry is an
528 alias.' EQUALITY dnMatch
534 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 (integer)
536 DESC "A value containing one or more flags. The following flags
538 KRB5_KDB_NEW_PRINC = 0x00008000
539 KRB5_KDB_PWCHANGE_SERVICE = 0x00002000
540 KRB5_KDB_REQUIRES_HW_AUTH = 0x00000100
541 KRB5_KDB_REQUIRES_PWCHANGE = 0x00000200
542 KRB5_KDB_SUPPORT_DESMD5 = 0x00004000
543 KRB5_KDB_DISALLOW_DUP_SKEY = 0x00000020
544 KRB5_KDB_DISALLOW_POSTDATED = 0x00000001
545 KRB5_KDB_DIALLOW_PROXIABLE = 0x00000010
546 KRB5_KDB_DISALLOW_RENEWABLE = 0x00000008
547 KRB5_KDB_DIALLOW_TGT_BASED = 0x00000004
548 USER_TO_USER = 0x00010000
549 KRB5_KDB_DISALLOW_SVR = 0x00001000'
554 NAME 'krbCreatorsName'
555 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 (DN)
557 DESC 'The identity that first added KrbPrincipal attributes to a
558 principal entry. It is the responsibility of this identity to
559 add the krbCreatorsName attribute to the principal entry. If a
560 principal entry does not contain a krbCreatorsName attribute, the
561 LDAP system-controlled creatorsName attribute is assumed to
562 contain the correct creator identity.'
567 krbCreateTimestamp-oid
568 NAME 'krbCreateTimestamp'
569 SYNTAX 1.2.840.113556.1.4.906 (interval)
570 DESC 'The date and time when the identity stored in the
571 krbCreatorsName attribute first added the KrbPrincipal attributes
572 to a principal entry. It is the responsibility of the identity
573 named in the krbCreatorsName attribute to add the
574 krbCreateTimestamp attribute to the principal entry. '
579 NAME 'krbCurKeyVersion'
580 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 (IA5String)
581 DESC 'A set of values indicating the current key version for each
582 key type of a KrbKey entry generated for a Kerberos principal.
583 Each value must one of the following formats:
586 where "vvyy" is four numeric characters indicating the current
587 version of the key, "ee" is two numeric characters indicating the
588 encryption type that was used to generate the key, and "ss" is
589 two numeric characters indicating the salt type that was used to
590 generate the key. ("ss" is omitted if the key was generated
591 without a salt. See krbEncType for a list of supported
592 encryption type values and krbSaltType for a list of supported
593 salt type values.) For example, '"000201" indicates that 2 is
594 the current version of a key that generated for a principal using
595 DES encryption and no salt. As another example, "00010500"
596 indicates that 1 is the current version of a key that was
597 generated for a principal using triple DES encryption and a
598 normal salt type value.'
604 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 (integer)
606 DESC 'A value defining the encryption type of a secret key.
609 ENCTYPE_DES_CBC_CRC 0x0001 (DES cbc mode with CRC-32)
610 ENCTYPE_DES_CBC_MD4 0x0002 (DES cbc mode with RSA-MD4)
611 ENCTYPE_DES_CBC_MD5 0x0003 (DES cbc mode with RSA-MD5)
612 ENCTYPE_DES_CBC_RAW 0x0004 (DES cbc mode raw)
613 ENCTYPE_DES3_CBC_SHA 0x0005 (DES-3 cbc mode with NIST-SHA)
614 ENCTYPE_DES3_CBC_RAW 0x0006 (DES-3 cbc mode raw)
615 ENCTYPE_RSA_PRIVKEY 0x00010000 (RSA private key; required for
617 ENCTYPE_UNKNOWN 0x00020000'
621 krbEncTypeSupport-oid
622 NAME 'krbEncTypeSupport'
623 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 (integer)
624 DESC 'A set of supported encryption type values. See krbEncType
625 for encryption type values.'
631 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 (IA5String)
633 DESC 'Extra data that is associated with a Kerberos principal and
634 that has an application-specific meaning. This attribute is
635 provided to support the Kerberos kadmin APIs.'
636 EQUALITY æcaseExactMatchÆ
641 NAME 'krbHintAliases'
642 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 (DN)
643 DESC 'A set of backward references to entries that can serve as
644 aliases for this entry.'
649 krbKdcServiceName-oid
650 NAME 'krbKdcServiceName'
651 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 (directory string)
653 DESC 'Name of a KDC service.'
654 EQUALITY caseExactMatch
658 krbKdcServiceObject-oid
659 NAME 'krbKdcServiceObject'
660 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 (DN)
661 DESC 'A set of references to entries, with each entry
662 representing a KDC service in the realm.'
669 SYNTAX 1.2.840.113556.1.4.906 (interval)
671 DESC 'A value indicating the date and time when a key expires.
677 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 (directory string)
679 DESC 'Name of a secret key.'
680 EQUALITY caseExactMatch
686 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 (DN)
688 DESC 'Location (specified in URL format) of a master key.'
695 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 (IA5String)
696 DESC 'A set of Kerberos key types. Each key type is specified in
698 of the following formats:
701 where "ee" is two numeric characters indicating the encryption
702 type of the key, and "ss" is two numeric characters indicating
703 the salt type of the key. ("ss" is omitted if the key type
704 specifies a key generated without a salt. See krbEncType for a
705 list of supported encryption type values and krbSaltType for a
706 list of supported salt type values.) For example, '"01"
707 indicates a key that is generated with DES encryption and no
708 salt. As another example, "0500" indicates that a key that is
709 generated using triple DES encryption and a normal salt type
716 SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 (binary)
718 DESC 'Value of a secret key.'
719 EQUALITY caseExactMatch
725 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 (integer)
727 DESC 'Version of a secret key; a monotomic increasing number
733 NAME 'krbModifiersName'
734 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 (DN)
736 DESC 'The last modifier of any KDC attribute associated with a
737 principal entry. It is the responsibility of the identity that
738 modifies any attributes associated with a principal entry to add
739 or update the krbModifiersName attribute. If a principal entry
740 does not contain a krbModifiersName attribute, the LDAP system-
741 controlled modifiersName attribute of this entry is used to get
742 the identity that last modified the principal entry.'
747 krbModifyTimestamp-oid
748 NAME 'krbModifyTimestamp'
749 SYNTAX 1.2.840.113556.1.4.906 (interval)
751 DESC 'The date and time when the identity specified in the
752 krbModifiersName attribute made the last modification. It is the
753 responsibility of the identity that made the modification to add
754 or update the krbModifyTimestamp attribute. '
760 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 (integer)
762 DESC 'One of the following values indicating where master key
763 attributes are stored:
764 1 = KRBMSTRKEY--master key attributes are stored in master key
765 entries as defined in the KDC LDAP schema)
766 2 = PROPRIETARY (default)--master key attributes are stored in a
767 proprietary database'
771 krbMstrKeyVersion-oid
772 NAME 'krbMstrKeyVersion'
773 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 (integer)
775 DESC 'Version of a master key that was used to encrypt the secret
780 krbMultKeyVersionsOK-oid
781 NAME 'krbMultKeyVersionsOK'
782 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 (boolean)
784 DESC 'True if multiple versions of a key for each encryption type
785 can be stored for this account.'
789 krbNextKeyVersion-oid
790 NAME 'krbNextKeyVersion'
791 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 (integer)
793 DESC 'Next version of a secret key.'
798 NAME 'krbPolicyObject'
799 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 (DN)
801 DESC 'Forward reference to an entry containing policy
808 NAME 'krbPrincipalName'
809 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 (directory string)
811 DESC 'Kerberos principal identity for a user in the form
812 <principal>@<realm>.'
813 EQUALITY caseExactMatch
818 NAME 'krbPrincipalType'
819 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 (integer)
821 DESC 'Value defining the type of a principal. The available
822 principal type values are:
824 1 = KRB5_NT_PRINCIPAL
833 NAME 'krbPrincSubTree
834 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 (DN)
835 DESC 'A set of forward references to an entry that starts a sub-
836 tree where principals in the realm are configured.'
841 krbPwdServiceObject-oid
842 NAME 'krbPwdServiceObject'
843 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 (DN)
844 DESC 'A set of references to entries, with each entry
845 representing a password service in the realm.'
852 SYNTAX 1.3.6. 11.4.1.1466.115.121.1.15 (directory string)
854 DESC 'Name of a security realm.'
855 EQUALITY caseExactMatch
859 krbRedundancyPolicy-oid
860 NAME 'krbRedundancyPolicy'
861 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 (integer)
863 DESC 'One of the following values, which indicates which set of
864 attributes to use for those attributes that have the same logical
866 01 -- Use the set of attributes from the Netscape or IBM/Tivoli
868 02 -- Use the set of attributes from the Microsoft schema. The
869 following table lists the sets of attributes that have the same
870 logical meanings and the schema's in which these attributes are
872 -------------------------------------
873 Netscape or Microsoft
876 -------------------------------------
877 passwordExpireTime computed from pwdLastSet and maxPwdAge
878 passwordMaxAge maxPwdAge
879 passwordMinAge minPwdAge
880 passwordMinLength minPwdLength
881 secAcctExpires accountExpires
882 secAcctValid userAccountControl (!ACCOUNT_DISABLE)
889 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 (integer)
891 DESC 'A value indicating the type of an associated salt value.
892 This indicates how the salt value is determined. The available
895 KRB5_KDB_SALTTYPE_NORMAL = 0
896 KRB5_KDB_SALTTYPE_V4 = 1
897 KRB5_KDB_SALTTYPE_NOREALM = 2
898 KRB5_KDB_SALTTYPE_ONLYREALM = 3
899 KRB5_KDB_SALTTYPE_SPECIAL = 4
900 KRB5_KDB_SALTTYPE_AFS3 = 5'
904 krbSaltTypeSupport-oid
905 NAME 'krbSaltTypeSupport'
906 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 (integer)
907 DESC 'Set of values defining the supported salt types.'
913 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 (IA5String)
915 DESC 'Value of a salt. A salt is used as a seed or offset to the
916 algorithm used to generate a key from a password.Æ
917 EQUALITY caseExactMatch
922 NAME 'krbSecretKeyCfg'
923 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 (integer)
925 DESC 'One of the following values indicating where the secret key
926 for a Kerberos principal is configured:
927 1 = KRBKEY (default) -- The secret key is stored in one or more
928 KrbKey entries residing below the principal entry.
929 2 = USERPASSWORD -- The secret key is stored in the userPassword
930 attribute of the entry representing the principal entry.
931 3 = PROPRIETARY -- The secret key is stored in a proprietary
936 krbTaggedDataList-oid
937 NAME 'krbTaggedDataList'
938 SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 (binary)
939 DESC 'Set of tagged data structures that is associated with a
940 Kerberos principal and that is defined by a Kerberos kadmin
941 application. This attribute is provided to support the Kerberos
946 krbTrustedAdmObject-oid
947 NAME 'krbTrustedAdmObject'
948 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 (DN)
949 DESC 'A set of trusted administration tools. '
955 5.2 Attribute Types Defined in the Netscape Schema
959 NAME 'passwordDictFiles'
960 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 (directory string)
961 DESC 'Password dictionary files.'
962 EQUALITY caseExactMatch
967 NAME 'passwordExpireTime'
968 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 (generalizedTime)
969 DESC ' Defines, in YYYYMMDDHHMMSS format, the date and time when
970 a user password expires.'
974 2.16.840.1.113730.3.1.97
975 NAME 'passwordMaxAge'
976 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 (integer)
977 DESC 'Specifies, in seconds, the period of time passwords can be
978 used before they expire.'
983 NAME 'passwordMinAge'
984 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 (integer)
985 DESC 'Specifies, in seconds, the period of time a password must
986 be in effect before a user can change it.'
991 NAME 'passwordMinDiffChars'
992 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 (integer)
993 DESC 'Specifies the minimum number of different (unique)
994 characters required for a user's password.'
998 2.16.840.1.113730.3.1.99
999 NAME 'passwordMinLength'
1000 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 (integer)
1001 DESC 'Specifies the minimum number of characters required for a
1007 5.3 Attribute Types Defined in the Microsoft Active Directory
1011 1.2.840.113556.1.4.159
1012 NAME 'accountExpires'
1013 SYNTAX 1.2.840.113556.1.4.906 (interval)
1015 DESC 'Value used to compute date and time when account will
1020 1.2.840.113556.1.4.49
1021 NAME 'badPasswordTime'
1022 SYNTAX 1.2.840.113556.1.4.906 (interval)
1024 DESC 'Value used to compute date and time of last unsuccessful
1029 1.2.840.113556.1.4.12
1031 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 (integer)
1033 DESC 'Number of unsuccessful attempts to authenticate with this
1038 1.2.840.113556.1.4.52
1040 SYNTAX 1.2.840.113556.1.4.906 (interval)
1042 DESC 'A value used to compute date and time of last successful
1047 1.2.840.113556.1.4.95
1048 NAME 'pwdHistoryLength'
1049 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 (integer)
1051 DESC 'Number of previous versions of passwords that are stored'
1055 1.2.840.113556.1.4.96
1057 SYNTAX 1.2.840.113556.1.4.906 (interval)
1059 DESC 'A value defining the date and time when the password was
1064 1.2.840.113556.1.4.74
1066 SYNTAX 1.2.840.113556.1.4.906 (interval)
1068 DESC 'A value defining the maximum age of a password.'
1072 1.2.840.113556.1.4.75
1074 SYNTAX 1.2.840.113556.1.4.906 (interval)
1076 DESC 'Value defining the maximum renewable lifetime of a ticket.'
1080 1.2.840.113556.1.4.77
1082 SYNTAX 1.2.840.113556.1.4.906 (interval)
1084 DESC 'Value defining the maximum lifetime of a user ticket.'
1088 1.2.840.113556.1.4.78
1090 SYNTAX 1.2.840.113556.1.4.906 (interval)
1092 DESC 'Value used to compute minimum lifetime of a password.'
1096 1.2.840.113556.1.4.79
1098 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 (integer)
1100 DESC 'Value defining the minimum length of a password.'
1104 1.2.840.113556.1.4.8
1105 NAME 'userAccountControl'
1106 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 (integer)
1108 DESC 'A value containing one or more attributes that apply to an
1109 account. Each attribute is set with a flag. The following flags,
1110 which are defined in the Microsoft lmaccess.h file, are used in
1111 the KDC LDAP schema:
1112 UF_ACCOUNT_DISABLE = 0x0001
1113 UF_DONT_EXPIRE_PASSWD = 0x10000
1114 UF_TRUSTED_FOR_DELEGATION = 0x80000
1115 UF_USE_DES_KEY_ONLY = 0x200000
1116 UF_DONT_REQUIRE_PREAUTH = 0x400000'
1121 5.4 Attribute Types Defined in the IBM/Tivoli Schema
1124 1.3.6.1.4.1.4228.1.12
1125 NAME 'secAcctExpires'
1127 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 (generalizedTime)
1132 1.3.6.1.4.1.4228.1.4
1135 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 (boolean)
1143 The KDC LDAP schema uses the object classes listed in this
1149 DESC 'An auxiliary object class for use in configuring an
1150 association between an entry containing security identity
1151 information and another entry. The krbAliasedObjectName is
1152 configured in the entry with a security identity information and
1153 contains a forward reference to a target entry. The
1154 krbHintAliases attribute is configured in the target entry and
1155 contains a backward reference to the entry with the security
1156 identity information. Kerberos ignores the forward and backward
1157 references. However, higher level applications can use these
1158 references to associate a security identity with a target entry
1159 and then verify that the target entry allows this association.
1160 For example, a higher level application can use the forward
1161 reference to associate an entry representing a Kerberos principal
1162 with an entry representing a person, and then use the backward
1163 reference to determine whether the entry representing the person
1164 allows this association.'
1167 MAY (krbAliasedObjectName krbHintAliases)
1173 DESC 'A structural object class for use in configuring an entry
1174 to represent a Kerberos key for an associated Kerberos principal.
1175 The entry representing the Kerberos key must reside directly
1176 below the entry representing the associated Kerberos principal
1177 and must have a creator identity that is either a KDC service in
1178 the realm, a Kerberos password administration service that is
1179 trusted in the realm, or an LDAP administrator or administration
1180 tool that is trusted in the realm. (The DN recorded by LDAP in
1181 the creatorsName attribute of the entry representing the Kerberos
1182 key must be listed in the krbKdcServiceObject,
1183 krbPwdServiceObject, or krbTrustedAdmObject attribute of the
1184 entry representing the realm.) The relationship between the
1185 entry representing the Kerberos key and the entry representing
1186 the associated Kerberos principal is many-to-one. This is
1187 because multiple Kerberos keys can be created for a single
1188 principal with each key having a different version number,
1189 encryption type, salt type, or KDC service identity. The RDN of
1190 the entry representing the Kerberos key must contain a string
1191 that indicates the contents of the krbKeyVersion attribute for
1192 that entry (for example, "krbKeyVersion=1"). If the contents of
1193 additional attributes are required to uniquely identity the
1194 entry, the RDN also must include this information (for example,
1195 "krbKeyVersion=1 krbEncType=DES krbSaltType=NORMAL").'
1198 MUST ( krbKeyVersion $ krbEncType $ krbMstrKeyVersion )
1199 MAY ( krbKdcServiceName $ krbKeyExpires $ krbKeyValue $
1200 krbNextKeyVersion $ krbSaltType $ krbSaltValue )
1206 DESC 'A structural object class for use in configuring an entry
1207 to represent a Kerberos login activity record for an associated
1208 Kerberos principal. The entry representing the Kerberos login
1209 activity record must reside directly below the entry representing
1210 the associated Kerberos principal and must have a creator
1211 identity that is a KDC service in the realm. (The DN recorded by
1212 LDAP in the creatorsName attribute of the entry representing the
1213 Kerberos login activity record must be listed in the
1214 krbKdcServiceObject attribute of the entry representing the
1215 realm.) The relationship between the entry representing the
1216 Kerberos login activity record and the entry representing the
1217 associated Kerberos principal is one-to-one. The RDN of the
1218 entry representing the Kerberos login activity must be
1223 MAY ( badPasswordTime $ badPwdCount $ lastLogon)
1229 DESC 'A structural object class for use in configuring an entry
1230 to represent a Kerberos master key. The entry representing the
1231 Kerberos master key must reside directly below the entry
1232 representing the Kerberos realm. The relationship between the
1233 entry representing the Kerberos master key and the entry
1234 representing the associated Kerberos realm is many-to-one. This
1235 is because multiple Kerberos master keys can be created for a
1236 single realm with each key having a different version number or
1237 KDC service identity. The RDN of the entry representing the
1238 Kerberos master key must contain a string that indicates the
1239 contents of the krbKeyVersion attribute for that entry (for
1240 example, "krbKeyVersion=1"). If the contents of additional
1241 attributes are required to uniquely identity the entry, the RDN
1242 also must include this information (for example, "krbKeyVersion=1
1243 krbKdcServiceName=serverA").'
1246 MAY ( krbKeyName $ krbKeyRef )
1252 DESC ' An auxiliary object class for use in configuring Kerberos
1253 policy attributes for an associated Kerberos principal or
1254 Kerberos realm. The Kerberos policy attributes can reside in the
1255 entry representing the Kerberos principal or realm, the entry
1256 referenced by the krbPolicyObject attribute of the entry
1257 representing the Kerberos principal or realm, or both. If the
1258 same policy attribute is configured in both entries, the policy
1259 attribute from the entry representing the principal or realm is
1260 used. Some Kerberos policy values can be configured using one of
1261 two sets of attributes. For these attributes, the
1262 krbRedundancyPolicy attribute in the entry representing the realm
1263 determines which set of attributes to use. (For example, the
1264 maximum password lifetime value can be stored in the maxPwdAge or
1265 passwordMaxAge attribute. The krbRedundancyPolicy attribute
1266 determines which of these two attributes to use.)'
1269 MAY ( accountExpires $ krbAttributes $ maxPwdAge $ maxRenewAge $
1270 maxTicketAge $ minPwdAge $ minPwdLength $ krbMultKeyVersionsOK $
1271 passwordExpireTime $ passwordDictFiles $ passwordMaxAge $
1272 passwordMinAge $ passwordMinDiffChars $ passwordMinLength $
1273 pwdHistoryLength $ secAcctExpires $ secAcctValid $
1280 DESC 'An auxiliary class for use in configuring an entry to
1281 represent a Kerberos principal.
1284 MUST (krbPrincipalName)
1285 MAY (krbCurKeyVersion $ krbCreatorsName $ krbCreateTimestamp $
1286 krbExtraData $ krbModifiersName $ krbModifyTimestamp $
1287 krbPolicyObject $ krbPrincipalType $ krbSecretKeyCfg $
1288 krbTaggedDataList $ pwdLastSet)
1294 DESC A structural object class for use in configuring an entry
1295 to represent a Kerberos realm. The RDN of this entry must
1296 contain a string that indicates the contents of the krbRealmName
1297 attribute; for example, "krbRealmName=COM.XYZ".'
1300 MUST ( krbPrincSubTree $ krbRealmName )
1306 DESC 'An auxiliary object class for use in configuring additional
1307 attributes in an entry representing a Kerberos realm.'
1310 MAY ( krbAdmAclDB $ krbAdmServiceObject $ krbEncTypeSupport $
1311 krbKdcServiceObject $ krbKeyType $ krbMstrKeyCfg $
1312 krbPolicyObject $ krbPwdServiceObject $ krbRedundancyPolicy $
1313 krbSaltTypeSupport $ krbTrustedAdmObject )
1318 7. Security Considerations
1320 AUTHENTICATION DISCLOSURE:
1322 This document describes a directory access protocol that provides
1323 both read and update access. Update access requires secure
1324 authentication, but this document does not mandate implementation
1325 of any satisfactory authentication mechanisms.
1327 In accordance with RFC 2026, section 4.4.1, this specification
1328 is being considered by IESG as a proposed standard
1329 despite this limitation, for the following reasons:
1331 a. to encourage implementation and interoperability testing of
1332 these protocols (with or without update access) before they
1335 b. to encourage deployment and use of these protocols in read-only
1336 applications. (e.g. applications where LDAPv3 is used as
1337 a query language for directories which are updated by some
1338 secure mechanism other than LDAP), and
1340 c. to avoid delaying the advancement and deployment of other
1341 Internet standards-track protocols which require the ability
1342 to query, but not update, LDAPv3 directory servers.
1344 Readers are hereby warned that until mandatory authentication
1345 mechanisms are standardized, clients and servers written according
1346 to this specification which make use of update functionality are
1347 UNLIKELY TO INTER-OPERATE, or MAY INTER-OPERATE ONLY IF
1348 AUTHENTICATION IS REDUCED TO AN UNACCEPTABLY WEAK LEVEL.
1350 Implementers are hereby discouraged from deploying LDAPv3 clients
1351 or servers which implement the update functionality, until a
1352 Proposed Standard for mandatory authentication in LDAPv3 has been
1353 approved and published as an RFC.
1356 The following needs to be considered when using the KDC LDAP
1359 * Any identity that configures KDC attributes in LDAP is
1360 responsible for the ensuring that the attributes are transmitted
1361 securely to and from LDAP. If attributes must be transmitted
1362 over the network, they must be transmitted using a security
1363 protocol with client and server authentication, data integrity,
1364 and, if the attribute contains key data, encryption that is as
1365 strong or stronger than DES.
1367 * Any identity that adds a sub-tree entry to the krbPrincSubTree
1368 attribute of the realm entry is responsible for ensuring that
1369 this sub-tree provides a way of protecting KDC attributes so that
1370 only trusted identities can add, modify, or delete KDC attributes
1371 in an entry residing under the sub-tree.
1373 * Any identity that adds a reference to an entry with policy
1374 information is responsible for ensuring that this entry protects
1375 KDC policy attributes so that only trusted identities can add,
1376 modify, or delete these attributes.
1378 * The identity that creates the realm entry is responsible for
1379 protecting this entry so that only trusted identities can modify,
1380 delete, or add attributes in the entry; only trusted identities
1381 can rename or delete the entry; and only trusted identities can
1382 insert new entries under the entry. (The master key is inserted
1383 under the realm entry, so any identity that has permission to
1384 insert entries under the realm entry has permission to create a
1387 * The identity that creates the master key entry is responsible
1390 - protecting this entry so that only trusted identities can
1391 modify, delete, or insert new attributes in the entry; only
1392 trusted identities can rename or delete the entry; and only a KDC
1393 service can read attributes in the entry.
1395 - encrypting the master key stored in krbKeyValue if this
1396 attribute is used to store the master key.
1398 * The identity that creates a KrbKey entry is responsible for:
1400 - protecting this entry so that only trusted identities can
1401 modify, delete, or insert attributes in this entry; only trusted
1402 identities can rename this entry; only trusted identities and the
1403 associated principal can delete this entry; and only a KDC
1404 service can read attributes from this entry.
1406 - storing the value in krbKeyValue as a key encrypted with a
1407 master key, as described previously in this document.
1409 * The identity that creates the KrbLog entry is responsible for
1410 protecting this entry so that only a KDC service in the realm can
1411 modify, delete, and insert attributes in this entry; and only a
1412 KDC service or a trusted identity in the realm can delete or
1415 * The KDC is responsible for the following:
1417 - ensuring that all KDC attributes are transmitted securely
1418 to and from LDAP. If attributes must be transmitted over the
1419 network, they must be transmitted using a security protocol with
1420 client and server authentication, data integrity, and, if the
1421 attribute contains key data, encryption that is as strong or
1424 - ensuring that the KrbKey entry was created by an identity
1425 that is trusted in the realm before getting the attributes from
1428 - ensuring that the KrbLog entry was created by a KDC
1429 service in the realm before getting the attributes from this
1432 * The LDAP administrator is responsible for the following:
1434 - If any principal entries in the realm are configured to
1435 store secret keys in the userPassword attribute, ensuring that
1436 LDAP is configured to encrypt and hash any data stored in this
1437 attribute using algorithms that are as strong or stronger than
1438 the algorithms used by Kerberos. If the value in userPassword is
1439 hashed, this must be supported by the Kerberos client interfaces
1442 - Ensuring that the LDAP server and the LDAP backing
1443 database provides a way of auditing all additions, deletions, and
1444 modifications of attributes.
1446 - If the LDAP backing database is separate from the LDAP
1447 server, ensuring that all data transmitted over the network
1448 between the LDAP server and the backing database is transmitted
1449 using a security protocol with client and server authentication,
1450 and data integrity, and that all attributes stored in the LDAP
1451 backing database are protected.
1457 This schema was developed as part of a working group effort of
1458 The Open Group Directory Interoperability Forum.
1464 This draft expires May 10, 2001.
1470 [1] Bradner, S., "The Internet Standards Process -- Revision 3",
1471 BCP 9, RFC 2026, October 1996.
1473 [2] Wahl, M., Howes, T., and S. Kille, "Lightweight Directory
1474 Access Protocol (v3)", RFC 2251, December 1997.
1476 [3] Wahl, M., Coulbeck, A., Howes, T., and S. Kille, "Lightweight
1477 X.500 Directory Access Protocol (v3): Attribute Syntax
1478 Definitions", RFC 2252, December 1997.
1480 [4] Wahl, M., Kille, S., and T. Howes, "Lightweight Directory
1481 Access Protocol (v3): UTF-8 String Representation of
1482 Distinguished Names", RFC 2253, December 1997.
1484 [12] Wahl, M., "A Summary of the X.500(96) User Schema for use
1485 with LDAPv3", RFC 2256, December 1997.
1487 [6] J. Kohl, C. Neuman. The Kerberos Network Authentication
1488 Service (V5), Request for Comments 1510.
1492 11. Author's Address
1498 Phone: (512) 838-3896
1499 Email: donnas@us.ibm.com