Hi guys, as I'm working on the Kerberos server, I have a few questions.
1) Currently, when the added entry has a userPassword AT and a krb5PrincipalName AT (which means it has a krb5principal OC), we create the kerberos Keys using the password. The problem is that the userPassword is a multiValued AT, so we use the first password in the list to generate the keys. This is not necessarily a good idea, but I don't see how we can improve this. At least, we should inform the user about this fact 2) Service keys : as we use the same mechanism, we generate keys based on the userPassword. Of course, we have no way to know that the added entry is for a service (except for hosts), so the userPassword must exist (and its value must be randomKey so that we don't use an weak password). Woudln't it be better to generate the keys from a random password if the userPassword AT is empty or absent ? 3) We definitively need to add a plugin in Studio to allow a user to change its password, using the changePassword protocol (and a shell script based tool to do so) Thoughts ? -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
