info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Generating krbPrincipalKey and krbPrincipalName out of known passwords
583 views
Skip to first unread message
Maike Lorenz
Jul 8, 2013, 7:08:28 AM7/8/13
to kerb...@mit.edu
Hi,
i have a question about generating krbPrincipalKey and krbPrincipalName
out of known passwords.
We use Novell Identity Manager, the Novell eDirectory is our central
instance for identities.
I connected a OpenLDAP system to our eDirectory, as a destination
system. I used a LDAP driver for this connection.
The userPasswords are transported using nspmDistributionPassword. So i
have a SSHA hashed password in the destination system (OpenLDAP).
Now we want to use Kerberos on the OpenLDAP.
Did someone know how i can transfer the userPasswords i allready have to
the needed attributes for Kerberos (krbPrincipalKey, krbPrincipalName)?
During the creation process i have the chance to get the plaintext value
out of nspmDistributionPassword.
It would be great if i could do this within the driver at the moment the
user will be created.
But i could use other methods as well.
I try to find a way using GSS-API or krb5 API, but i could not found one
so far.
It would be great if someone could give me some hints.
Thanks a lot!
Kind regards,
Maike Lorenz
--------------------------------------------------------------------
Rechenzentrum der Friedrich-Schiller-Universitaet Jena
Am Johannisfriedhof 2
07743 Jena / Thueringen / Germany
i have a question about generating krbPrincipalKey and krbPrincipalName
out of known passwords.
We use Novell Identity Manager, the Novell eDirectory is our central
instance for identities.
I connected a OpenLDAP system to our eDirectory, as a destination
system. I used a LDAP driver for this connection.
The userPasswords are transported using nspmDistributionPassword. So i
have a SSHA hashed password in the destination system (OpenLDAP).
Now we want to use Kerberos on the OpenLDAP.
Did someone know how i can transfer the userPasswords i allready have to
the needed attributes for Kerberos (krbPrincipalKey, krbPrincipalName)?
During the creation process i have the chance to get the plaintext value
out of nspmDistributionPassword.
It would be great if i could do this within the driver at the moment the
user will be created.
But i could use other methods as well.
I try to find a way using GSS-API or krb5 API, but i could not found one
so far.
It would be great if someone could give me some hints.
Thanks a lot!
Kind regards,
Maike Lorenz
--------------------------------------------------------------------
Rechenzentrum der Friedrich-Schiller-Universitaet Jena
Am Johannisfriedhof 2
07743 Jena / Thueringen / Germany
Greg Hudson
Jul 8, 2013, 12:20:11 PM7/8/13
to Maike Lorenz, kerb...@mit.edu
On 07/08/2013 07:08 AM, Maike Lorenz wrote:
> Did someone know how i can transfer the userPasswords i allready have to
> the needed attributes for Kerberos (krbPrincipalKey, krbPrincipalName)?
> During the creation process i have the chance to get the plaintext value
> out of nspmDistributionPassword.
> It would be great if i could do this within the driver at the moment the
> user will be created.
> But i could use other methods as well.
I am not very familiar with eDirectory (only with the MIT krb5 LDAP back
> Did someone know how i can transfer the userPasswords i allready have to
> the needed attributes for Kerberos (krbPrincipalKey, krbPrincipalName)?
> During the creation process i have the chance to get the plaintext value
> out of nspmDistributionPassword.
> It would be great if i could do this within the driver at the moment the
> user will be created.
> But i could use other methods as well.
end, which is based on eDirectory code and shares most of its schema),
so there might be a better way of doing what you want using eDirectory
tools if you contact Novell. If you must do it with your own code, here
are some pointers.
The krbPrincipalName is just the unparsed principal name. For
krbPrincipalKey, you will need the plaintext value to start with. There
are two steps, one of which can be accomplished with libkrb5 and the
other of which will require an ASN.1 encoder.
First, you have to convert the password into keys for one or more
enctypes using krb5_c_string_to_key(). You can use
krb5_principal2salt() to get the default salt for the principal name.
Second, you have to marshal the keys into an octet string using ASN.1.
Here are some comments from the schema file containing a partial ASN.1
module for the marshalling:
##### KrbKeySet ::= SEQUENCE {
##### attribute-major-vno [0] UInt16,
##### attribute-minor-vno [1] UInt16,
##### kvno [2] UInt32,
##### mkvno [3] UInt32 OPTIONAL,
##### keys [4] SEQUENCE OF KrbKey,
##### ...
##### }
#####
##### KrbKey ::= SEQUENCE {
##### salt [0] KrbSalt OPTIONAL,
##### key [1] EncryptionKey,
##### s2kparams [2] OCTET STRING OPTIONAL,
##### ...
##### }
#####
##### KrbSalt ::= SEQUENCE {
##### type [0] Int32,
##### salt [1] OCTET STRING OPTIONAL
##### }
#####
##### EncryptionKey ::= SEQUENCE {
##### keytype [0] Int32,
##### keyvalue [1] OCTET STRING
##### }
Use explicit tagging.
Petr Spacek
Jul 9, 2013, 4:48:57 AM7/9/13
to kerb...@mit.edu
Hello,
On 8.7.2013 18:20, Greg Hudson wrote:
> On 07/08/2013 07:08 AM, Maike Lorenz wrote:
>> Did someone know how i can transfer the userPasswords i allready have to
>> the needed attributes for Kerberos (krbPrincipalKey, krbPrincipalName)?
>> During the creation process i have the chance to get the plaintext value
>> out of nspmDistributionPassword.
>> It would be great if i could do this within the driver at the moment the
>> user will be created.
>> But i could use other methods as well.
I'm sorry for the advertisement :-)
FreeIPA project could be very interesting for you, if you don't insist on
OpenLDAP. FreeIPA supports user migration from other LDAP servers, including
password migration.
FreeIPA project integrates:
- LDAP server (389 DS)
- Kerberos KDC (MIT)
- optional CA (Dogtag)
- optional NTP
- web interface + XMLRPC + JSONRPI + Python API for all the pieces
See http://www.freeipa.org/ or ask mailing list freeip...@redhat.com.
The web site sucks, don't hesitate to ask freeipa-users if you can't find some
specific information or if you are unsure about your use case.
Have a nice day.
--
Petr^2 Spacek
On 8.7.2013 18:20, Greg Hudson wrote:
> On 07/08/2013 07:08 AM, Maike Lorenz wrote:
>> Did someone know how i can transfer the userPasswords i allready have to
>> the needed attributes for Kerberos (krbPrincipalKey, krbPrincipalName)?
>> During the creation process i have the chance to get the plaintext value
>> out of nspmDistributionPassword.
>> It would be great if i could do this within the driver at the moment the
>> user will be created.
>> But i could use other methods as well.
FreeIPA project could be very interesting for you, if you don't insist on
OpenLDAP. FreeIPA supports user migration from other LDAP servers, including
password migration.
FreeIPA project integrates:
- LDAP server (389 DS)
- Kerberos KDC (MIT)
- optional CA (Dogtag)
- optional NTP
- web interface + XMLRPC + JSONRPI + Python API for all the pieces
See http://www.freeipa.org/ or ask mailing list freeip...@redhat.com.
The web site sucks, don't hesitate to ask freeipa-users if you can't find some
specific information or if you are unsure about your use case.
Have a nice day.
--
Petr^2 Spacek
0 new messages