2 <!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
3 <!ENTITY rfc2119 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
4 <!ENTITY rfc3961 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3961.xml'>
5 <!ENTITY rfc4120 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4120.xml'>
6 <!ENTITY rfc4511 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4511.xml'>
7 <!ENTITY rfc4513 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4513.xml'>
8 <!ENTITY rfc4516 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4516.xml'>
9 <!ENTITY rfc4517 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4517.xml'>
10 <!ENTITY rfc4520 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4520.xml'>
11 <!ENTITY rfc2831 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2831.xml'>
12 <!ENTITY rfc3062 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3062.xml'>
13 <!ENTITY rfc3112 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3112.xml'>
14 <!ENTITY rfc3383 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3383.xml'>
15 <!ENTITY rfc3672 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3672.xml'>
16 <!ENTITY ldapi PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-chu-ldap-ldapi-00.xml'>
17 <!ENTITY ppolicy PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.behera-ldap-password-policy.xml'>
18 <!ENTITY kdcmodel PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-krb-wg-kdc-model-06.xml'>
20 <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
21 <?rfc symrefs="yes" ?>
25 docName="draft-chu-ldap-kdc-schema-01">
27 <title abbrev="LDAP KDC Schema">
28 An LDAP Schema for Kerberos KDC Information
30 <author initials="H." fullname="Howard Chu" surname="Chu">
31 <organization>Symas Corp.</organization>
34 <street>18740 Oxnard Street, Suite 313A</street>
36 <region>California</region>
40 <phone>+1 818 757-7087</phone>
41 <email>hyc@symas.com</email>
42 <uri>http://www.symas.com</uri>
45 <author initials="S." fullname="Simo Sorce" surname="Sorce">
46 <organization>Red Hat, Inc.</organization>
49 <street>140 Broadway, 24th Floor</street>
51 <region>New York</region>
55 <phone>+1 212 344-2501</phone>
56 <email>ssorce@redhat.com</email>
57 <uri>http://www.redhat.com</uri>
60 <date month="October" year="2009"/>
62 <t>This document describes an <xref target="RFC4511">LDAP</xref> schema for implementing the
63 <xref target="RFC4120">Kerberos 5</xref>
64 <xref target="I-D.ietf-krb-wg-kdc-model">KDC Information Model</xref>.
65 It also defines additional elements which are not covered by the Information Model,
66 but are already in common use.
72 <section anchor="background" title="Background and Motivation">
73 <t>Both Kerberos and LDAP are frequently used separately for
74 distributed authentication. They can also be used in combination,
75 but typically their user databases remained separate. This distinction
76 in databases causes unnecessary duplication of data and administration
77 overhead. As such it is desirable for both systems to share a single
78 database. Since the LDAP data model is more general it is most
79 appropriate to store the Kerberos data in LDAP.</t>
80 <t>A number of Kerberos implementations already have support for
81 using LDAP as their KDC backing store. However, each implementation
82 uses its own schema, and the multiple schemas are mutually
83 incompatible. For the sake of interoperability and administrative
84 ease, it is important to define a single standard schema that can
85 be used uniformly by all Kerberos KDC implementations and interoperates
86 with existing LDAP specifications.</t>
88 <section anchor="general" title="General Issues">
89 <section anchor="genera.terms" title="Terminology">
90 <t>The key words "MUST", "SHOULD", and "MAY" used in this document
91 are to be interpreted as described in
92 <xref target="RFC2119"/>.</t>
93 <t>The OIDs defined below are derived from
94 <!-- joint-iso-ccitt(2) country(16) us(840) organization(1) Novell(113719) applications(1) kerberos(301)
96 iso(1) member-body(2) United States(840) mit (113554) infosys(1) ldap(4) attributeTypes(1) Kerberos(6) -->
97 TBD.OID:<vspace blankLines="0"/>
98 KRBSYN = TBD.OID.0<vspace blankLines="0"/>
99 KRBATTR = TBD.OID.1<vspace blankLines="0"/>
100 KRBOC = TBD.OID.2<vspace blankLines="0"/>
103 <section title="Schema">
104 <t>The attributes and classes defined in this document are summarized
106 <section anchor="general.attrs" title="Attributes">
107 <t>The following attributes are defined in this document:
110 krbPrincipalName<vspace blankLines="0"/>
111 krbPrincipalAliases<vspace blankLines="0"/>
112 krbPrincStartTime<vspace blankLines="0"/>
113 krbPrincEndTime<vspace blankLines="0"/>
114 krbTicketMaxLife<vspace blankLines="0"/>
115 krbTicketMaxRenewal<vspace blankLines="0"/>
116 krbEncSaltTypes<vspace blankLines="0"/>
117 krbRealmName<vspace blankLines="0"/>
118 krbPrincipalRealm<vspace blankLines="0"/>
119 krbKeySet<vspace blankLines="0"/>
120 krbKeyVersion<vspace blankLines="0"/>
121 krbTicketPolicy<vspace blankLines="0"/>
122 krbExtraData<vspace blankLines="0"/>
123 krbPrincNamingAttr<vspace blankLines="0"/>
124 krbPrincContainer<vspace blankLines="0"/>
125 krbPwdPolicy<vspace blankLines="0"/>
126 krbLDAPURI<vspace blankLines="0"/>
129 Additionally, some of the attributes defined in
130 <xref target="I-D.behera-ldap-password-policy">LDAP Password Policy
131 </xref> are required.
133 <t>Note: The MIT/Novell schema includes a number of elements for storing the KDC configuration
134 in LDAP. The Information Model doesn't cover these aspects, so I've omitted them for now.
135 Do we need to add them?</t>
137 <section anchor="general.classes" title="Object Classes">
138 <t>The following object classes are defined in this document:
141 krbKDCInfo<vspace blankLines="0"/>
142 krbPrincipal<vspace blankLines="0"/>
143 krbRealm<vspace blankLines="0"/>
150 <section anchor="attrdefs" title="Attribute Definitions">
151 <t>This section contains attribute definitions to be implemented
152 by KDCs supporting this schema:
156 NAME 'krbPrincipalName'
157 DESC 'Canonical principal name'
158 EQUALITY caseExactIA5Match
159 SUBSTR caseExactSubstringsMatch
160 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
167 NAME 'krbPrincipalAliases'
168 SUP krbPrincipalName )
171 These attributes implement section 6.1.1.1 of the Information Model. The
172 krbPrincipalName attribute contains the canonical name of the principal.
173 Any aliases are stored in the krbPrincipalAliases attribute. Since the
174 krbPrincipalAliases attribute is a subtype of the krbPrincipalName
175 attribute, a search on krbPrincipalName will also search the aliases.
181 NAME 'krbPrincStartTime'
182 EQUALITY generalizedTimeMatch
183 ORDERING generalizedTimeOrderingMatch
184 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
187 This attribute implements section 6.1.1.2 of the Information Model.
188 It holds the date the principal becomes valid.
194 NAME 'krbPrincEndTime'
195 EQUALITY generalizedTimeMatch
196 ORDERING generalizedTimeOrderingMatch
197 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
200 This attribute implements section 6.1.1.3 of the Information Model.
201 It holds the date the principal becomes invalid.
207 NAME 'krbTicketMaxLife'
208 EQUALITY integerMatch
209 ORDERING integerOrderingMatch
210 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
214 This attribute implements section 6.1.1.11 of the Information Model.
215 It holds the maximum ticket lifetime in seconds for a principal.
221 NAME 'krbTicketMaxRenewal'
222 EQUALITY integerMatch
223 ORDERING integerOrderingMatch
224 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
228 This attribute implements section 6.1.1.12 of the Information Model.
229 It holds the maximum time in seconds a ticket may be renewed for.
235 NAME 'krbEncSaltTypes'
236 EQUALITY caseIgnoreMatch
237 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
240 This attribute implements section 6.1.1.13 of the Information Model.
241 Holds the allowed encryption/salt type combinations for this principal.
242 If empty or absent any combination supported by the implementation is allowed.
244 Values are stored in the form of key:salt strings.
245 The supported encryption types are mentioned in
246 <xref target="RFC3961"/>. The supported salt types are:
255 Example: <spanx style='verb'>des-cbc-crc:normal</spanx>
256 <vspace blankLines='1'/>
257 Note that sections 6.1.1.4 thru 6.1.1.10 of the Information Model
258 are implemented using the LDAP Password Policy schema.
265 EQUALITY octetStringMatch
266 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
272 NAME 'krbPrincipalRealm'
273 DESC 'DN of krbRealm entry'
274 SUP distinguishedName )
277 These attributes provide information about the current realm. They provide
278 the minimal set of information required to implement section 6.1.3 of the
286 EQUALITY integerMatch
287 ORDERING integerOrderingMatch
288 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
292 This attribute implements section 6.2.1.1 of the Information Model.
293 It stores the version number of the current key.
300 EQUALITY octetStringMatch
301 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
304 This attribute implements sections 6.3.1.1 thru 6.3.1.4 of the Information Model.
305 Sections 6.3.1.5 thru 6.3.1.7 are implemented using the LDAP Password Policy schema.
306 This attribute holds the principal's keys optionally encrypted with the
307 Master Key. The attribute is encoded using <xref target="X.680">ASN.1</xref>
308 <xref target="X.690">DER</xref>.
310 ##### The format of the value for this attribute is explained below,
311 ##### KrbKeySet ::= SEQUENCE {
312 ##### kvno [0] UInt32,
313 ##### mkvno [1] UInt32 OPTIONAL,
314 ##### keys [2] SEQUENCE OF KrbKey,
318 ##### KrbKey ::= SEQUENCE {
319 ##### salt [0] KrbSalt OPTIONAL,
320 ##### key [1] EncryptionKey,
321 ##### s2kparams [2] OCTET STRING OPTIONAL,
325 ##### KrbSalt ::= SEQUENCE {
326 ##### type [0] Int32,
327 ##### salt [1] OCTET STRING OPTIONAL
330 ##### EncryptionKey ::= SEQUENCE {
331 ##### keytype [0] Int32,
332 ##### keyvalue [1] OCTET STRING
334 </artwork></figure></t>
339 NAME 'krbTicketPolicy'
340 EQUALITY integerMatch
341 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
345 This attribute is related to section 6.4 of the Information Model. It
346 defines the flags that a user is allowed or required to use in a ticket
349 #krb5KDCFlagsSyntax SYNTAX ::= {
350 # WITH SYNTAX INTEGER
351 #-- initial(0), -- require as-req
352 #-- forwardable(1), -- may issue forwardable
353 #-- proxiable(2), -- may issue proxiable
354 #-- renewable(3), -- may issue renewable
355 #-- postdate(4), -- may issue postdatable
356 #-- server(5), -- may be server
357 #-- client(6), -- may be client
358 #-- invalid(7), -- entry is invalid
359 #-- require-preauth(8), -- must use preauth
360 #-- change-pw(9), -- change password service
361 #-- require-hwauth(10), -- must use hwauth
362 #-- ok-as-delegate(11), -- as in TicketFlags
363 #-- user-to-user(12), -- may use user-to-user auth
364 #-- immutable(13) -- may not be deleted
365 # ID { 1.3.6.1.4.1.5322.10.0.1 }
374 EQUALITY octetStringMatch
375 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
377 This attribute holds arbitrary data that may be needed by a particular
378 implementation. The values are encoded in ASN.1 DER.
380 ##### The format of the values for this attribute is explained below,
381 ##### ExtraData ::= SEQUENCE {
382 ##### tag [0] OCTET STRING,
383 ##### data [1] OCTET STRING
388 The following four attributes are outside the scope of the Information Model
389 but may be useful in some deployments.
393 NAME 'krbPrincNamingAttr'
394 EQUALITY objectIdentifierMatch
395 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
398 This attribute records what attribute will be used to name
399 newly created principal entries.
403 NAME 'krbPrincContainer'
404 DESC 'DN of container entry for principals'
405 SUP distinguishedName
408 This attribute points to the container entry under which
409 new principal entries will be created.
414 DESC 'DN of password policy subentry'
415 SUP distinguishedName
418 This attribute points to the LDAP password policy subentry
419 containing the policy that should be applied to Kerberos principals.
421 Note that in LDAP servers with full subentry support, the subentry's
422 subtree search specification defines what entries the subentry applies
423 to, so this attribute is unnecessary; it is provided merely for
424 informational purposes.
429 DESC 'LDAP search parameters for locating principals'
432 This attribute contains LDAP URIs that the KDC will search when
433 locating principals. The URI values must conform to the syntax
434 defined in <xref target="RFC4516"/>. As a special case, the URI
435 prefix "ldap:///" is taken to mean the current LDAP server.
438 <section anchor="classdefs" title="Class Definitions">
439 <t>This section contains class definitions to be implemented by KDCs
440 supporting the schema.</t>
444 ( KRBOC.1 NAME 'krbKDCInfo' SUP top AUXILIARY
445 MAY ( krbTicketMaxLife $ krbTicketMaxRenewal $
446 krbEncSaltTypes $ krbTicketPolicy $
447 krbKeySet $ krbKeyVersion ) )
452 ( KRBOC.2 NAME 'krbPrincipal' SUP krbKDCInfo AUXILIARY
453 MUST ( krbPrincipalName )
454 MAY ( krbPrincipalAliases $ krbPrincipalRealm $
455 krbPrincStartTime $ krbPrincEndTime $
463 ( KRBOC.3 NAME 'krbRealm' SUP krbKDCInfo AUXILIARY
464 MUST ( krbRealmName )
465 MAY ( krbPrincNamingAttr $ krbPrincContainer $
466 krbPwdPolicy $ krbLDAPURI ) )
469 Note that in a krbRealm object the krbKeySet and krbKeyVersion
470 attributes actually reflect the Master key for the realm. In this
471 case the krbKeySet's mkvno field and all other optional fields
475 <section anchor="impl" title="Implementation Details">
476 <t>Since the LDAP Password Policy is intimately involved in the
477 security mechanisms of this proposal, the directory should be treated
478 as more than just a passive data store. (The KDC can certainly read
479 the policy attributes and evaluate them itself, but that would mean
480 needlessly duplicating all of the functionality that is already
481 implemented in the directory server.) This means that for every
482 Kerberos authentication being serviced, a corresponding LDAP
483 operation must also be performed, in order to allow the password
484 policy mechanisms to operate.</t>
485 <t>The mechanism outlined here assumes that the plain LDAP credentials
486 and the Kerberos credentials are unified (or at least synchronized). In
487 that case, for every incoming Kerberos authentication request, the KDC
488 can issue an LDAP Compare request using the known credentials of
489 the user and the LDAP Password Policy control. The result of the request
490 will carry any relevant error codes if the account is disabled, the
491 password is expired, or various other failures. If preauthentication is
492 in use and the request is invalid, a Compare with known invalid
493 credentials may be used to update the password policy state.</t>
494 <section title="Model Details">
495 <t>A number of data elements described in the Information Model are
496 delegated to the LDAP DSA for management. Details of their
497 usage are described here.</t>
498 <section title="principalIsDisabled">
499 <t>Section 6.1.1.4 of the Information Model.
500 If the KDC is using LDAP requests to operate the
501 Password Policy mechanism then it does not need to reference or manipulate
502 this attribute directly. Otherwise, this effect is controlled by setting
503 the krbPrincStartTime attribute to a value greater than or equal to the
504 krbPrincEndTime attribute.</t>
506 <section title="principalNumberOfFailedAuthenticationAttempts">
507 <t>Section 6.1.1.5 of the Information Model.
508 If the KDC is using LDAP requests to operate the
509 Password Policy mechanism then it does not need to reference or manipulate
510 this attribute directly. Otherwise, this value is obtained by counting the
511 number of values stored in the pwdFailureTime attribute.</t>
513 <section title="principalLastFailedAuthentication">
514 <t>Section 6.1.1.6 of the Information Model.
515 If the KDC is using LDAP requests to operate the
516 Password Policy mechanism then it does not need to reference or manipulate
517 this attribute directly. Otherwise, this value is obtained by retrieving the
518 values stored in the pwdFailureTime attribute and selecting the most recent value.</t>
520 <section title="principalLastSuccessfulAuthentication">
521 <t>Section 6.1.1.7 of the Information Model. This corresponds to the
522 pwdLastSuccess attribute.
523 If the KDC is using LDAP requests to operate the
524 Password Policy mechanism then it does not need to reference or manipulate
525 this attribute directly.</t>
527 <section title="principalLastCredentialChangeTime">
528 <t>Section 6.1.1.8 of the Information Model. This corresponds to the
529 pwdChangedTime attribute.
530 If the KDC uses the LDAP <xref target="RFC3062">Password Modify</xref> request
531 then it does not need to reference or manipulate
532 this attribute directly.</t>
534 <section title="principalCreateTime">
535 <t>Section 6.1.1.9 of the Information Model. This corresponds to the
536 createTimestamp attribute.
537 The KDC does not need to reference or manipulate this attribute directly.</t>
539 <section title="principalModifyTime">
540 <t>Section 6.1.1.10 of the Information Model. This corresponds to the
541 modifyTimestamp attribute.
542 The KDC does not need to reference or manipulate this attribute directly.</t>
544 <section title="keyNotUsedAfter">
545 <t>Section 6.3.1.5 of the Information Model. This corresponds to the
546 pwdEndTime attribute. If the KDC is using LDAP requests to operate the
547 Password Policy mechanism then it does not need to reference or manipulate
548 this attribute directly.</t>
550 <section title="keyNotUsedBefore">
551 <t>Section 6.3.1.6 of the Information Model. This corresponds to the
552 pwdStartTime attribute. If the KDC is using LDAP requests to operate the
553 Password Policy mechanism then it does not need to reference or manipulate
554 this attribute directly.</t>
556 <section title="keyIsDisabled">
557 <t>Section 6.3.1.7 of the Information Model.
558 If the KDC is using LDAP requests to operate the
559 Password Policy mechanism then it does not need to reference or manipulate
560 this attribute directly. Otherwise, this effect is controlled by setting
561 the pwdStartTime attribute to a value greater than or equal to the
562 pwdEndTime attribute.</t>
565 <section title="KeySet details">
566 <t>The krbKeySet attribute is multi-valued but it is expected that
567 it will usually only contain one value. During a password change operation
568 the KDC may choose to keep one previous value present to allow currently
569 active clients to continue to operate using the previous key. How long to
570 retain this old password is unspecified here. Note also that the LDAP
571 Password Policy mechanism already has provisions for password history
572 management, so the krbKeySet attribute should not be used for
573 long-term password history tracking.</t>
576 <section anchor="security" title="Security Considerations">
577 <t>This entire document is concerned with an implementation of a secure
578 distributed authentication mechanism. It should be understood that
579 the various keys used here are all sensitive pieces of data and must
580 be adequately protected using access controls and other mechanisms.
581 Likewise all communications between the KDC and DSA must be protected
582 whenever sensitive data is being referenced.</t>
583 <t>In common practice the KDC and DSA have been colocated on a
584 single host and communicated over a local
585 <xref target="I-D.chu-ldap-ldapi">LDAP IPC</xref> session. As such it was
586 implied that the host security was equivalent for both. If a KDC is
587 configured to use a remote DSA, the remote host should be
588 configured with at least the same level of security as the KDC host,
589 and a secure channel MUST be used for the LDAP session.</t>
590 <t>Storing the Master Key in the DSA makes it even more
591 crucial that the LDAP host, service, and data files be adequately
592 protected. Backups of the LDAP database should also be encrypted to
593 protect the integrity of any keys contained therein.</t>
595 <section title="IANA Considerations">
596 <t>In accordance with <xref target="RFC4520"/> the following registrations
598 <section title="Object Identifiers">
599 <t>[[List of OIDs, registration template goes here...]]</t>
601 <section title="LDAP Descriptors">
602 <t>[[List of Attribute and ObjectClass descriptors, template goes here...]]</t>
605 <section anchor="acks" title="Acknowledgements">
606 <t>Thanks to Love Hörnquist Åstrand
607 from Apple Corp. for the initial feedback on this document.</t>
611 <references title="Normative References">
621 <reference anchor="X.680">
623 <title>Abstract Syntax Notation One (ASN.1): Specification of basic notation</title>
625 <organization abbrev="ITU-T">
626 International Telecommunications Union</organization>
628 <date month="July" year="2002" />
630 <seriesInfo name="ITU-T Recommendation" value="X.680" />
633 <reference anchor="X.690">
635 <title>Information Technology - ASN.1 encoding rules: Specification of Basic
636 Encoding Rules (BER), Canonical Encoding Rules (CER) and
637 Distinguished Encoding Rules (DER)</title>
639 <organization abbrev="ITU-T">
640 International Telecommunications Union</organization>
642 <date month="July" year="2002" />
644 <seriesInfo name="ITU-T Recommendation" value="X.690" />
647 <references title="Informative References">