2 <!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
3 <!ENTITY rfc2119 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
4 <!ENTITY rfc4120 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4120.xml'>
5 <!ENTITY rfc4511 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4511.xml'>
6 <!ENTITY rfc4513 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4513.xml'>
7 <!ENTITY rfc4516 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4516.xml'>
8 <!ENTITY rfc4517 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4517.xml'>
9 <!ENTITY rfc4520 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4520.xml'>
10 <!ENTITY rfc2831 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2831.xml'>
11 <!ENTITY rfc3062 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3062.xml'>
12 <!ENTITY rfc3112 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3112.xml'>
13 <!ENTITY rfc3383 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3383.xml'>
14 <!ENTITY rfc3672 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3672.xml'>
15 <!ENTITY ldapi PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-chu-ldap-ldapi-00.xml'>
16 <!ENTITY ppolicy PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.behera-ldap-password-policy.xml'>
17 <!ENTITY kdcmodel PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-krb-wg-kdc-model-05.xml'>
19 <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
20 <?rfc symrefs="yes" ?>
24 docName="draft-chu-ldap-kdc-schema-00">
26 <title abbrev="LDAP KDC Schema">
27 An LDAP Schema for Kerberos KDC Information
29 <author initials="H." fullname="Howard Chu" surname="Chu">
30 <organization>Symas Corp.</organization>
33 <street>18740 Oxnard Street, Suite 313A</street>
35 <region>California</region>
39 <phone>+1 818 757-7087</phone>
40 <email>hyc@symas.com</email>
41 <uri>http://www.symas.com</uri>
44 <author initials="S." fullname="Simo Sorce" surname="Sorce">
45 <organization>Red Hat, Inc.</organization>
48 <street>140 Broadway, 24th Floor</street>
50 <region>New York</region>
54 <phone>+1 212 344-2501</phone>
55 <email>ssorce@redhat.com</email>
56 <uri>http://www.redhat.com</uri>
59 <date month="October" year="2009"/>
61 <t>This document describes an <xref target="RFC4511">LDAP</xref> schema for implementing the
62 <xref target="RFC4120">Kerberos 5</xref>
63 <xref target="I-D.ietf-krb-wg-kdc-model">KDC Information Model</xref>.
64 It also defines additional elements which are not covered by the Information Model,
65 but are already in common use.
71 <section anchor="background" title="Background and Motivation">
72 <t>Both Kerberos and LDAP are frequently used separately for
73 distributed authentication. They can also be used in combination,
74 but typically their user databases remained separate. This distinction
75 in databases causes unnecessary duplication of data and administration
76 overhead. As such it is desirable for both systems to share a single
77 database. Since the LDAP data model is more general it is most
78 appropriate to store the Kerberos data in LDAP.</t>
79 <t>A number of Kerberos implementations already have support for
80 using LDAP as their KDC backing store. However, each implementation
81 uses its own schema, and the multiple schemas are mutually
82 incompatible. For the sake of interoperability and administrative
83 ease, it is important to define a single standard schema that can
84 be used uniformly by all Kerberos KDC implementations and interoperates
85 with existing LDAP specifications.</t>
87 <section anchor="general" title="General Issues">
88 <section anchor="genera.terms" title="Terminology">
89 <t>The key words "MUST", "SHOULD", and "MAY" used in this document
90 are to be interpreted as described in
91 <xref target="RFC2119"/>.</t>
92 <t>The OIDs defined below are derived from
93 <!-- joint-iso-ccitt(2) country(16) us(840) organization(1) Novell(113719) applications(1) kerberos(301)
95 iso(1) member-body(2) United States(840) mit (113554) infosys(1) ldap(4) attributeTypes(1) Kerberos(6) -->
96 TBD.OID:<vspace blankLines="0"/>
97 KRBSYN = TBD.OID.0<vspace blankLines="0"/>
98 KRBATTR = TBD.OID.1<vspace blankLines="0"/>
99 KRBOC = TBD.OID.2<vspace blankLines="0"/>
102 <section title="Schema">
103 <t>The attributes and classes defined in this document are summarized
105 <section anchor="general.attrs" title="Attributes">
106 <t>The following attributes are defined in this document:
109 krbPrincipalName<vspace blankLines="0"/>
110 krbPrincipalAliases<vspace blankLines="0"/>
111 krbTicketMaxLife<vspace blankLines="0"/>
112 krbTicketMaxRenewal<vspace blankLines="0"/>
113 krbEncSaltTypes<vspace blankLines="0"/>
114 krbRealmName<vspace blankLines="0"/>
115 krbPrincipalRealm<vspace blankLines="0"/>
116 krbKeySet<vspace blankLines="0"/>
117 krbKeyVersion<vspace blankLines="0"/>
118 krbTicketPolicy<vspace blankLines="0"/>
119 krbExtraData<vspace blankLines="0"/>
120 krbPrincNamingAttr<vspace blankLines="0"/>
121 krbPrincContainer<vspace blankLines="0"/>
122 krbPwdPolicy<vspace blankLines="0"/>
123 krbLDAPURI<vspace blankLines="0"/>
126 Additionally, some of the attributes defined in
127 <xref target="I-D.behera-ldap-password-policy">LDAP Password Policy
128 </xref> are required.
130 <t>Note: The MIT/Novell schema includes a number of elements for storing the KDC configuration
131 in LDAP. The Information Model doesn't cover these aspects, so I've omitted them for now.
132 Do we need to add them?</t>
134 <section anchor="general.classes" title="Object Classes">
135 <t>The following object classes are defined in this document:
138 krbKDCInfo<vspace blankLines="0"/>
139 krbPrincipal<vspace blankLines="0"/>
140 krbRealm<vspace blankLines="0"/>
147 <section anchor="attrdefs" title="Attribute Definitions">
148 <t>This section contains attribute definitions to be implemented
149 by KDCs supporting this schema:
153 NAME 'krbPrincipalName'
154 DESC 'Canonical principal name'
155 EQUALITY caseExactIA5Match
156 SUBSTR caseExactSubstringsMatch
157 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
164 NAME 'krbPrincipalAliases'
165 SUP krbPrincipalName )
168 These attributes implement section 6.1.1.1 of the Information Model. The
169 krbPrincipalName attribute contains the canonical name of the principal.
170 Any aliases are stored in the krbPrincipalAliases attribute. Since the
171 krbPrincipalAliases attribute is a subtype of the krbPrincipalName
172 attribute, a search on krbPrincipalName will also search the aliases.
178 NAME 'krbPrincStartTime'
179 EQUALITY generalizedTimeMatch
180 ORDERING generalizedTimeOrderingMatch
181 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
184 This attribute impelents section 6.1.1.2 of the Information Model.
185 It holds the date the principal becomes valid.
191 NAME 'krbPrincEndTime'
192 EQUALITY generalizedTimeMatch
193 ORDERING generalizedTimeOrderingMatch
194 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
197 This attribute impelents section 6.1.1.3 of the Information Model.
198 It holds the date the principal becomes invalid.
204 NAME 'krbTicketMaxLife'
205 EQUALITY integerMatch
206 ORDERING integerOrderingMatch
207 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
211 This attribute implements section 6.1.1.11 of the Information Model.
212 It holds the maximum ticket lifetime in seconds for a principal.
218 NAME 'krbTicketMaxRenewal'
219 EQUALITY integerMatch
220 ORDERING integerOrderingMatch
221 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
225 This attribute implements section 6.1.1.12 of the Information Model.
226 It holds the maximum time in seconds a ticket may be renewed for.
232 NAME 'krbEncSaltTypes'
233 EQUALITY caseIgnoreMatch
234 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
237 This attribute implements section 6.1.1.13 of the Information Model.
238 Holds the allowed encryption/salt type combinations for this principal.
239 If empty or absent any combination supported by the implementation is allowed.
241 Note that sections 6.1.1.4 thru 6.1.1.10 are implemented using the
242 LDAP Password Policy schema.
249 EQUALITY octetStringMatch
250 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
256 NAME 'krbPrincipalRealm'
257 DESC 'DN of krbRealm entry'
258 SUP distinguishedName )
261 These attributes provide information about the current realm. They provide
262 the minimal set of information required to implement section 6.1.3 of the
270 EQUALITY integerMatch
271 ORDERING integerOrderingMatch
272 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
276 This attribute implements section 6.2.1.1 of the Information Model.
277 It stores the version number of the current key.
284 EQUALITY octetStringMatch
285 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
288 This attribute implements sections 6.3.1.1 thru 6.3.1.4 of the Information Model.
289 Sections 6.3.1.5 thru 6.3.1.7 are implemented using the LDAP Password Policy schema.
290 This attribute holds the principal's keys optionally encrypted with the
291 Master Key. The attribute is encoded using <xref target="X.680">ASN.1</xref>
292 <xref target="X.690">DER</xref>.
294 ##### The format of the value for this attribute is explained below,
295 ##### KrbKeySet ::= SEQUENCE {
296 ##### kvno [0] UInt32,
297 ##### mkvno [1] UInt32 OPTIONAL,
298 ##### keys [2] SEQUENCE OF KrbKey,
302 ##### KrbKey ::= SEQUENCE {
303 ##### salt [0] KrbSalt OPTIONAL,
304 ##### key [1] EncryptionKey,
305 ##### s2kparams [2] OCTET STRING OPTIONAL,
309 ##### KrbSalt ::= SEQUENCE {
310 ##### type [0] Int32,
311 ##### salt [1] OCTET STRING OPTIONAL
314 ##### EncryptionKey ::= SEQUENCE {
315 ##### keytype [0] Int32,
316 ##### keyvalue [1] OCTET STRING
318 </artwork></figure></t>
323 NAME 'krbTicketPolicy'
324 EQUALITY integerMatch
325 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
329 This attribute is related to section 6.4 of the Information Model. It
330 defines the flags that a user is allowed or required to use in a ticket
333 #krb5KDCFlagsSyntax SYNTAX ::= {
334 # WITH SYNTAX INTEGER
335 #-- initial(0), -- require as-req
336 #-- forwardable(1), -- may issue forwardable
337 #-- proxiable(2), -- may issue proxiable
338 #-- renewable(3), -- may issue renewable
339 #-- postdate(4), -- may issue postdatable
340 #-- server(5), -- may be server
341 #-- client(6), -- may be client
342 #-- invalid(7), -- entry is invalid
343 #-- require-preauth(8), -- must use preauth
344 #-- change-pw(9), -- change password service
345 #-- require-hwauth(10), -- must use hwauth
346 #-- ok-as-delegate(11), -- as in TicketFlags
347 #-- user-to-user(12), -- may use user-to-user auth
348 #-- immutable(13) -- may not be deleted
349 # ID { 1.3.6.1.4.1.5322.10.0.1 }
358 EQUALITY octetStringMatch
359 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
361 This attribute holds arbitrary data that may be needed by a particular
362 implementation. The values are encoded in ASN.1 DER.
364 ##### The format of the values for this attribute is explained below,
365 ##### ExtraData ::= SEQUENCE {
366 ##### tag [0] OCTET STRING,
367 ##### data [1] OCTET STRING
372 The following four attributes are outside the scope of the Information Model
373 but may be useful in some deployments.
377 NAME 'krbPrincNamingAttr'
378 EQUALITY objectIdentifierMatch
379 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
382 This attribute records what attribute will be used to name
383 newly created principal entries.
387 NAME 'krbPrincContainer'
388 DESC 'DN of container entry for principals'
389 SUP distinguishedName
392 This attribute points to the container entry under which
393 new principal entries will be created.
398 DESC 'DN of password policy subentry'
399 SUP distinguishedName
402 This attribute points to the LDAP password policy subentry
403 containing the policy that should be applied to Kerberos principals.
405 Note that in LDAP servers with full subentry support, the subentry's
406 subtree search specification defines what entries the subentry applies
407 to, so this attribute is unnecessary; it is provided merely for
408 informational purposes.
413 DESC 'LDAP search parameters for locating principals'
416 This attribute contains LDAP URIs that the KDC will search when
417 locating principals. The URI values must conform to the syntax
418 defined in <xref target="RFC4516"/>. As a special case, the URI
419 prefix "ldap:///" is taken to mean the current LDAP server.
422 <section anchor="classdefs" title="Class Definitions">
423 <t>This section contains class definitions to be implemented by KDCs
424 supporting the schema.</t>
428 ( KRBOC.1 NAME 'krbKDCInfo' SUP top AUXILIARY
429 MAY ( krbTicketMaxLife $ krbTicketMaxRenewal $
430 krbEncSaltTypes $ krbTicketPolicy $
431 krbKeySet $ krbKeyVersion ) )
436 ( KRBOC.2 NAME 'krbPrincipal' SUP krbKDCInfo AUXILIARY
437 MUST ( krbPrincipalName )
438 MAY ( krbPrincipalAliases $ krbPrincipalRealm $
439 krbPrincStartTime $ krbPrincEndTime $
447 ( KRBOC.3 NAME 'krbRealm' SUP krbKDCInfo AUXILIARY
448 MUST ( krbRealmName )
449 MAY ( krbPrincNamingAttr $ krbPrincContainer $
450 krbPwdPolicy $ krbLDAPURI ) )
453 Note that in a krbRealm object the krbKeySet and krbKeyVersion
454 attributes actually reflect the Master key for the realm. In this
455 case the krbKeySet's mkvno field and all other optional fields
459 <section anchor="impl" title="Implementation Details">
460 <t>Since the LDAP Password Policy is intimately involved in the
461 security mechanisms of this proposal, the directory should be treated
462 as more than just a passive data store. (The KDC can certainly read
463 the policy attributes and evaluate them itself, but that would mean
464 needlessly duplicating all of the functionality that is already
465 implemented in the directory server.) This means that for every
466 Kerberos authentication being serviced, a corresponding LDAP
467 operation must also be performed, in order to allow the password
468 policy mechanisms to operate.</t>
469 <t>The mechanism outlined here assumes that the plain LDAP credentials
470 and the Kerberos credentials are unified (or at least synchronized). In
471 that case, for every incoming Kerberos authentication request, the KDC
472 can issue an LDAP Compare request using the known credentials of
473 the user and the LDAP Password Policy control. The result of the request
474 will carry any relevant error codes if the account is disabled, the
475 password is expired, or various other failures. If preauthentication is
476 in use and the request is invalid, a Compare with known invalid
477 credentials may be used to update the password policy state.</t>
478 <section title="Model Details">
479 <t>A number of data elements described in the Information Model are
480 delegated to the LDAP DSA for management. Details of their
481 usage are described here.</t>
482 <section title="principalNotUsedBefore">
483 <t>Section 6.1.1.2 of the Information Model. This corresponds to the
484 pwdStartTime attribute. If the KDC is using LDAP requests to operate the
485 Password Policy mechanism then it does not need to reference or manipulate
486 this attribute directly.</t>
488 <section title="principalNotUsedAfter">
489 <t>Section 6.1.1.3 of the Information Model. This corresponds to the
490 pwdEndTime attribute. If the KDC is using LDAP requests to operate the
491 Password Policy mechanism then it does not need to reference or manipulate
492 this attribute directly.</t>
494 <section title="principalIsDisabled">
495 <t>Section 6.1.1.4 of the Information Model.
496 If the KDC is using LDAP requests to operate the
497 Password Policy mechanism then it does not need to reference or manipulate
498 this attribute directly. Otherwise, this effect is controlled by setting
499 the pwdStartTime attribute to a value greater than or equal to the
500 pwdEndTime attribute.</t>
502 <section title="principalNumberOfFailedAuthenticationAttempts">
503 <t>Section 6.1.1.5 of the Information Model.
504 If the KDC is using LDAP requests to operate the
505 Password Policy mechanism then it does not need to reference or manipulate
506 this attribute directly. Otherwise, this value is obtained by counting the
507 number of values stored in the pwdFailureTime attribute.</t>
509 <section title="principalLastFailedAuthentication">
510 <t>Section 6.1.1.6 of the Information Model.
511 If the KDC is using LDAP requests to operate the
512 Password Policy mechanism then it does not need to reference or manipulate
513 this attribute directly. Otherwise, this value is obtained by retrieving the
514 values stored in the pwdFailureTime attribute and selecting the most recent value.</t>
516 <section title="principalLastSuccessfulAuthentication">
517 <t>Section 6.1.1.7 of the Information Model. This corresponds to the
518 pwdLastSuccess attribute.
519 If the KDC is using LDAP requests to operate the
520 Password Policy mechanism then it does not need to reference or manipulate
521 this attribute directly.</t>
523 <section title="principalLastCredentialChangeTime">
524 <t>Section 6.1.1.8 of the Information Model. This corresponds to the
525 pwdChangedTime attribute.
526 If the KDC uses the LDAP <xref target="RFC3062">Password Modify</xref> request
527 then it does not need to reference or manipulate
528 this attribute directly.</t>
530 <section title="principalCreateTime">
531 <t>Section 6.1.1.9 of the Information Model. This corresponds to the
532 createTimestamp attribute.
533 The KDC does not need to reference or manipulate this attribute directly.</t>
535 <section title="principalModifyTime">
536 <t>Section 6.1.1.10 of the Information Model. This corresponds to the
537 modifyTimestamp attribute.
538 The KDC does not need to reference or manipulate this attribute directly.</t>
541 <section title="KeySet details">
542 <t>The krbKeySet attribute is multi-valued but it is expected that
543 it will usually only contain one value. During a password change operation
544 the KDC may choose to keep one previous value present to allow currently
545 active clients to continue to operate using the previous key. How long to
546 retain this old password is unspecified here. Note also that the LDAP
547 Password Policy mechanism already has provisions for password history
548 management, so the krbKeySet attribute should not be used for
549 long-term password history tracking.</t>
552 <section anchor="security" title="Security Considerations">
553 <t>This entire document is concerned with an implementation of a secure
554 distributed authentication mechanism. It should be understood that
555 the various keys used here are all sensitive pieces of data and must
556 be adequately protected using access controls and other mechanisms.
557 Likewise all communications between the KDC and DSA must be protected
558 whenever sensitive data is being referenced.</t>
559 <t>In common practice the KDC and DSA have been colocated on a
560 single host and communicated over a local
561 <xref target="I-D.chu-ldap-ldapi">LDAP IPC</xref> session. As such it was
562 implied that the host security was equivalent for both. If a KDC is
563 configured to use a remote DSA, the remote host should be
564 configured with at least the same level of security as the KDC host,
565 and a secure channel MUST be used for the LDAP session.</t>
566 <t>Storing the Master Key in the DSA makes it even more
567 crucial that the LDAP host, service, and data files be adequately
568 protected. Backups of the LDAP database should also be encrypted to
569 protect the integrity of any keys contained therein.</t>
571 <section title="IANA Considerations">
572 <t>In accordance with <xref target="RFC4520"/> the following registrations
574 <section title="Object Identifiers">
575 <t>[[List of OIDs, registration template goes here...]]</t>
577 <section title="LDAP Descriptors">
578 <t>[[List of Attribute and ObjectClass descriptors, template goes here...]]</t>
581 <section anchor="acks" title="Acknowledgements">
582 <t>Thanks to Love Hörnquist Åstrand
583 from Apple Corp. for the initial feedback on this document.</t>
587 <references title="Normative References">
596 <reference anchor="X.680">
598 <title>Abstract Syntax Notation One (ASN.1): Specification of basic notation</title>
600 <organization abbrev="ITU-T">
601 International Telecommunications Union</organization>
603 <date month="July" year="2002" />
605 <seriesInfo name="ITU-T Recommendation" value="X.680" />
608 <reference anchor="X.690">
610 <title>Information Technology - ASN.1 encoding rules: Specification of Basic
611 Encoding Rules (BER), Canonical Encoding Rules (CER) and
612 Distinguished Encoding Rules (DER)</title>
614 <organization abbrev="ITU-T">
615 International Telecommunications Union</organization>
617 <date month="July" year="2002" />
619 <seriesInfo name="ITU-T Recommendation" value="X.690" />
622 <references title="Informative References">