On Sun, Feb 10, 2013 at 4:10 PM, Emmanuel Lécharny <[email protected]>wrote:
> Hi guys, > > as I'm working on the Kerberos server, I have a few questions. > > 1) Currently, when the added entry has a userPassword AT and a > krb5PrincipalName AT (which means it has a krb5principal OC), we create > the kerberos Keys using the password. > > The problem is that the userPassword is a multiValued AT, so we use the > first password in the list to generate the keys. This is not necessarily > a good idea, but I don't see how we can improve this. > > I will repeat the same words said in the IM :) 'let us throw an error when Kerberos is enabled in the server and an entry contains more than one password' > At least, we should inform the user about this fact > > 2) Service keys : as we use the same mechanism, we generate keys based > on the userPassword. Of course, we have no way to know that the added > entry is for a service (except for hosts), so the userPassword must > exist (and its value must be randomKey so that we don't use an weak > password). > > Woudln't it be better to generate the keys from a random password if the > userPassword AT is empty or absent ? > > yes, and we should generate keys only when such an entry contains 'krb5PrincipalName' attribute > 3) We definitively need to add a plugin in Studio to allow a user to > change its password, using the changePassword protocol (and a shell > script based tool to do so) > > +1 > Thoughts ? > > -- > Regards, > Cordialement, > Emmanuel Lécharny > www.iktek.com > > -- Kiran Ayyagari http://keydap.com
