Enrique Rodriguez a écrit :
On 6/20/07, Emmanuel Lecharny <[EMAIL PROTECTED]> wrote:
Hi guys,
IBM has recently released (27/4/2007) a Kerberos KAdmin GUI, a SWT
implementation :
http://www.alphaworks.ibm.com/tech/nasgui
It seems to be an interesting tool, and I'm thinking we should have such
a GUI in Apache Directory Studio.
Wdyt ?
I think it would be great if AD Studio supported Kerberos
administration. However, this IBM tool is using the Kadmin protocol,
which is specific to the MIT Kerberos implementation.
I was not thinking specifically to Kadmin, but something more
confortable, as soon as we have some specification to give to our GUI team.
I think with
the protocols we have, we shouldn't support kadmin. I, for one, won't
be putting any effort towards Kadmin. You'll note the IBM tool is
using JNI to MIT's library.
You can get a feel for the basic Kerberos principal functions we need
from this Kadmin overview.
http://docs.hp.com/en/5991-7685/ch08s37.html
We can do most of what we need with the LDAP protocol and our X.500
ACI.
Sure, but I think a GUI is great to have to avoid complex manipulation
of such elements. We already have an ACI editor in Apache Directory
Studio, we just need a specific interface for Kerberos admin, I guess.
The question is what should it looks like, and what funtionalities it
must contains.
A few additional functions are covered by the upcoming
Set/Change Protocol v2, an update of the Change Password protocol.
You mean
http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-set-passwd-06.txt,
I guess.
As for timing, I think it makes sense to hold off a bit longer. There
are 2 RFC's in the works: (1) the aforementioned Set/Change Protocol
v2 and (2) a possible informative RFC regarding an LDAP schema for
Kerberos. The new Set/Change Protocol adds some important key
management functions and the LDAP schema supports many more features
than our existing schema. I think once implementation of these draft
RFC's has stabilized then we can look at adding GUI for principal
admin. I was hoping to get to both of these later this year.
It would be good to have a page like
http://cwiki.apache.org/confluence/display/DIRxSRVx10/Ldap+related+RFCs
where we have a clear view of what has been implemented, and whot is
not, including a roadmap for the drafts we intend to implement.
Here is a lits of all the kerberos working group drafts and RFCs :
Generating KDC Referrals to Locate Kerberos Realms
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-09.txt>
(36370 bytes)
Kerberos Set/Change Key/Password Protocol Version 2
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-set-passwd-06.txt>
(32882 bytes)
A Generalized Framework for Kerberos Pre-Authentication
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-preauth-framework-05.txt>
(84108 bytes)
The Kerberos Network Authentication Service (Version 5)
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-rfc1510ter-04.txt>
(222275 bytes)
ECC Support for PKINIT
<http://www.ietf.org/internet-drafts/draft-zhu-pkinit-ecc-03.txt> (21007
bytes)
Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges Over
TCP
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-tcp-expansion-02.txt>
(14367 bytes)
Anonymity Support for Kerberos
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-anon-03.txt>
(23897 bytes)
Additional Kerberos Naming Constraints
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-naming-03.txt>
(13553 bytes)
PK-INIT Cryptographic Algorithm Agility
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-pkinit-alg-agility-02.txt>
(29698 bytes)
Kerberos Version 5 GSS-API Channel Binding Hash Agility
<http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-gss-cb-hash-agility-01.txt>
(12607 bytes)
Request For Comments:
AES Encryption for Kerberos 5 (RFC 3962)
<http://www.ietf.org/rfc/rfc3962.txt> (32844 bytes)
Encryption and Checksum Specifications for Kerberos 5 (RFC 3961)
<http://www.ietf.org/rfc/rfc3961.txt> (111865 bytes)
The Kerberos Network Authentication Service (V5) (RFC 4120)
<http://www.ietf.org/rfc/rfc4120.txt> (340314 bytes) obsoletes RFC 1510/
updated by RFC 4537
The Kerberos Version 5 Generic Security Service Application Program
Interface (GSS-API) Mechanism: Version 2 (RFC 4121)
<http://www.ietf.org/rfc/rfc4121.txt> (43945 bytes) updates RFC 1964
Kerberos Cryptosystem Negotiation Extension (RFC 4537)
<http://www.ietf.org/rfc/rfc4537.txt> (11166 bytes) updates RFC 4120
Online Certificate Status Protocol (OCSP) Support for Public Key
Cryptography for Initial Authentication in Kerberos (PKINIT) (RFC 4557)
<http://www.ietf.org/rfc/rfc4557.txt> (11593 bytes)
Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
(RFC 4556) <http://www.ietf.org/rfc/rfc4556.txt> (100339 bytes)
Can we have a status for those RFCs and drafts ?
Thanks.
Emmanuel
