On Sat, Jan 14, 2012 at 22:42, Kiran Ayyagari <[email protected]> wrote:
> you can call kdcServer.setEncryptionTypes() (with an array or set of
> EncryptionTypeS)
> note that, this method should be called from a non-static method
> (typically from the setup method or the one having @Before annotation)
> calling it from static method might likely result in a null pointer
> exception.
>
> Let me know if you have any issues
Thanks, it works!
How about making the default in KdcServer compatible with MIT
library's defaults?
I think it would be sufficient to change one constant
org.apache.directory.server.kerberos.kdc.KdcServer#DEFAULT_ENCRYPTION_TYPES:
diff --git
a/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcServer.java
b/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcServer.java
index fa14a4c..0673014 100644
---
a/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcServer.java
+++
b/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcServer.java
@@ -85,7 +85,7 @@ public class KdcServer extends DirectoryBackedService
/** The default encryption types */
private static final String[] DEFAULT_ENCRYPTION_TYPES = new String[]
- { "des-cbc-md5" };
+ { "aes256-cts-hmac-sha1-96", "aes128-cts-hmac-sha1-96",
"des3-cbc-sha1-kd", "des-cbc-md5" };
/** The default for allowing empty addresses */
private static final boolean DEFAULT_EMPTY_ADDRESSES_ALLOWED = true;
What do you think about that?
Just in case, attaching a patch (attachment no. 0001).
BTW, I've also found a suboptimal fragment in
org.apache.directory.server.kerberos.kdc.KdcServer#prepareEncryptionTypes
- sending a patch (attachment no. 0002).
--
Best Regards,
Aleksander Adamowski
http://olo.org.pl
From 02fc0c1ef447081a5bdf04efdb53b4948ab9ac5a Mon Sep 17 00:00:00 2001
From: Aleksander Adamowski <[email protected]>
Date: Sat, 14 Jan 2012 23:45:21 +0100
Subject: [PATCH 1/2] Made KdcServer's default list of encryption types
compatible with MIT krb5 library's defaults
diff --git a/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcServer.java b/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcServer.java
index fa14a4c..0673014 100644
--- a/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcServer.java
+++ b/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcServer.java
@@ -85,7 +85,7 @@ public class KdcServer extends DirectoryBackedService
/** The default encryption types */
private static final String[] DEFAULT_ENCRYPTION_TYPES = new String[]
- { "des-cbc-md5" };
+ { "aes256-cts-hmac-sha1-96", "aes128-cts-hmac-sha1-96", "des3-cbc-sha1-kd", "des-cbc-md5" };
/** The default for allowing empty addresses */
private static final boolean DEFAULT_EMPTY_ADDRESSES_ALLOWED = true;
--
1.7.5.4
From 929487f659d376972ad66ab57f8fa537db928bd1 Mon Sep 17 00:00:00 2001
From: Aleksander Adamowski <[email protected]>
Date: Sat, 14 Jan 2012 23:58:34 +0100
Subject: [PATCH 2/2] Make use of EncryptionType.getByName() when populating
KdcServer's encryption types.
diff --git a/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcServer.java b/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcServer.java
index 0673014..7b802e6 100644
--- a/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcServer.java
+++ b/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcServer.java
@@ -557,12 +557,9 @@ public class KdcServer extends DirectoryBackedService
for ( String enc : encryptionTypeStrings )
{
- for ( EncryptionType type : EncryptionType.getEncryptionTypes() )
- {
- if ( type.getName().equalsIgnoreCase( enc ) )
- {
- encryptionTypes.add( type );
- }
+ EncryptionType type = EncryptionType.getByName(enc);
+ if ( ! EncryptionType.UNKNOWN.equals(type) ) {
+ encryptionTypes.add( type );
}
}
}
--
1.7.5.4
