2 <!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
3 <!ENTITY rfc2119 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
4 <!ENTITY rfc4120 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4120.xml'>
5 <!ENTITY rfc4511 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4511.xml'>
6 <!ENTITY rfc4513 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4513.xml'>
7 <!ENTITY rfc4516 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4516.xml'>
8 <!ENTITY rfc4517 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4517.xml'>
9 <!ENTITY rfc4520 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4520.xml'>
10 <!ENTITY rfc2831 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2831.xml'>
11 <!ENTITY rfc3062 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3062.xml'>
12 <!ENTITY rfc3112 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3112.xml'>
13 <!ENTITY rfc3383 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3383.xml'>
14 <!ENTITY rfc3672 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3672.xml'>
15 <!ENTITY ldapi PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-chu-ldap-ldapi-00.xml'>
16 <!ENTITY ppolicy PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.behera-ldap-password-policy.xml'>
17 <!ENTITY kdcmodel PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-krb-wg-kdc-model-05.xml'>
19 <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
20 <?rfc symrefs="yes" ?>
24 docName="draft-chu-ldap-kdc-schema-00">
26 <title abbrev="LDAP KDC Schema">
27 An LDAP Schema for Kerberos KDC Information
29 <author initials="H." fullname="Howard Chu" surname="Chu">
30 <organization>Symas Corp.</organization>
33 <street>18740 Oxnard Street, Suite 313A</street>
35 <region>California</region>
39 <phone>+1 818 757-7087</phone>
40 <email>hyc@symas.com</email>
41 <uri>http://www.symas.com</uri>
44 <author initials="S." fullname="Simo Sorce" surname="Sorce">
45 <organization>Red Hat, Inc.</organization>
48 <street>140 Broadway, 24th Floor</street>
50 <region>New York</region>
54 <phone>+1 212 344-2501</phone>
55 <email>ssorce@redhat.com</email>
56 <uri>http://www.redhat.com</uri>
59 <date month="October" year="2009"/>
61 <t>This document describes an <xref target="RFC4511">LDAP</xref> schema for implementing the
62 <xref target="RFC4120">Kerberos 5</xref>
63 <xref target="I-D.ietf-krb-wg-kdc-model">KDC Information Model</xref>.
64 It also defines additional elements which are not covered by the Information Model,
65 but are already in common use.
71 <section anchor="background" title="Background and Motivation">
72 <t>Both Kerberos and LDAP are frequently used separately for
73 distributed authentication. They can also be used in combination,
74 but typically their user databases remained separate. This distinction
75 in databases causes unnecessary duplication of data and administration
76 overhead. As such it is desirable for both systems to share a single
77 database. Since the LDAP data model is more general it is most
78 appropriate to store the Kerberos data in LDAP.</t>
79 <t>A number of Kerberos implementations already have support for
80 using LDAP as their KDC backing store. However, each implementation
81 uses its own schema, and the multiple schemas are mutually
82 incompatible. For the sake of interoperability and administrative
83 ease, it is important to define a single standard schema that can
84 be used uniformly by all Kerberos KDC implementations and interoperates
85 with existing LDAP specifications.</t>
87 <section anchor="general" title="General Issues">
88 <section anchor="genera.terms" title="Terminology">
89 <t>The key words "MUST", "SHOULD", and "MAY" used in this document
90 are to be interpreted as described in
91 <xref target="RFC2119"/>.</t>
92 <t>The OIDs defined below are derived from
93 <!-- joint-iso-ccitt(2) country(16) us(840) organization(1) Novell(113719) applications(1) kerberos(301)
95 iso(1) member-body(2) United States(840) mit (113554) infosys(1) ldap(4) attributeTypes(1) Kerberos(6) -->
96 TBD.OID:<vspace blankLines="0"/>
97 KRBSYN = TBD.OID.0<vspace blankLines="0"/>
98 KRBATTR = TBD.OID.1<vspace blankLines="0"/>
99 KRBOC = TBD.OID.2<vspace blankLines="0"/>
102 <section title="Schema">
103 <t>The attributes and classes defined in this document are summarized
105 <section anchor="general.attrs" title="Attributes">
106 <t>The following attributes are defined in this document:
109 krbPrincipalName<vspace blankLines="0"/>
110 krbPrincipalAliases<vspace blankLines="0"/>
111 krbTicketMaxLife<vspace blankLines="0"/>
112 krbTicketMaxRenewal<vspace blankLines="0"/>
113 krbEncSaltTypes<vspace blankLines="0"/>
114 krbRealmName<vspace blankLines="0"/>
115 krbPrincipalRealm<vspace blankLines="0"/>
116 krbKeySet<vspace blankLines="0"/>
117 krbKeyVersion<vspace blankLines="0"/>
118 krbTicketPolicy<vspace blankLines="0"/>
119 krbExtraData<vspace blankLines="0"/>
120 krbPrincNamingAttr<vspace blankLines="0"/>
121 krbPrincContainer<vspace blankLines="0"/>
122 krbPwdPolicy<vspace blankLines="0"/>
123 krbLDAPURI<vspace blankLines="0"/>
126 Additionally, some of the attributes defined in
127 <xref target="I-D.behera-ldap-password-policy">LDAP Password Policy
128 </xref> are required.
130 <t>Note: The MIT/Novell schema includes a number of elements for storing the KDC configuration
131 in LDAP. The Information Model doesn't cover these aspects, so I've omitted them for now.
132 Do we need to add them?</t>
134 <section anchor="general.classes" title="Object Classes">
135 <t>The following object classes are defined in this document:
138 krbKDCInfo<vspace blankLines="0"/>
139 krbPrincipal<vspace blankLines="0"/>
140 krbRealm<vspace blankLines="0"/>
147 <section anchor="attrdefs" title="Attribute Definitions">
148 <t>This section contains attribute definitions to be implemented
149 by KDCs supporting this schema:
153 NAME 'krbPrincipalName'
154 DESC 'Canonical principal name'
155 EQUALITY caseExactIA5Match
156 SUBSTR caseExactSubstringsMatch
157 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
164 NAME 'krbPrincipalAliases'
165 SUP krbPrincipalName )
168 These attributes implement section 6.1.1.1 of the Information Model. The
169 krbPrincipalName attribute contains the canonical name of the principal.
170 Any aliases are stored in the krbPrincipalAliases attribute. Since the
171 krbPrincipalAliases attribute is a subtype of the krbPrincipalName
172 attribute, a search on krbPrincipalName will also search the aliases.
178 NAME 'krbTicketMaxLife'
179 EQUALITY integerMatch
180 ORDERING integerOrderingMatch
181 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
185 This attribute implements section 6.1.1.11 of the Information Model.
186 It holds the maximum ticket lifetime in seconds for a principal.
192 NAME 'krbTicketMaxRenewal'
193 EQUALITY integerMatch
194 ORDERING integerOrderingMatch
195 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
199 This attribute implements section 6.1.1.12 of the Information Model.
200 It holds the maximum time in seconds a ticket may be renewed for.
206 NAME 'krbEncSaltTypes'
207 EQUALITY caseIgnoreMatch
208 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
211 This attribute implements section 6.1.1.13 of the Information Model.
212 Holds the allowed encryption/salt type combinations for this principal.
213 If empty or absent any combination supported by the implementation is allowed.
215 Note that sections 6.1.1.2 thru 6.1.1.10 are implemented using the
216 LDAP Password Policy schema.
223 EQUALITY octetStringMatch
224 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
230 NAME 'krbPrincipalRealm'
231 DESC 'DN of krbRealm entry'
232 SUP distinguishedName )
235 These attributes provide information about the current realm. They provide
236 the minimal set of information required to implement section 6.1.3 of the
244 EQUALITY integerMatch
245 ORDERING integerOrderingMatch
246 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
250 This attribute implements section 6.2.1.1 of the Information Model.
251 It stores the version number of the current key.
258 EQUALITY octetStringMatch
259 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
262 This attribute implements sections 6.3.1.1 thru 6.3.1.4 of the Information Model.
263 Sections 6.3.1.5 thru 6.3.1.7 are implemented using the LDAP Password Policy schema.
264 This attribute holds the principal's keys optionally encrypted with the
265 Master Key. The attribute is encoded using <xref target="X.680">ASN.1</xref>
266 <xref target="X.690">DER</xref>.
268 ##### The format of the value for this attribute is explained below,
269 ##### KrbKeySet ::= SEQUENCE {
270 ##### kvno [0] UInt32,
271 ##### mkvno [1] UInt32 OPTIONAL,
272 ##### keys [2] SEQUENCE OF KrbKey,
276 ##### KrbKey ::= SEQUENCE {
277 ##### salt [0] KrbSalt OPTIONAL,
278 ##### key [1] EncryptionKey,
279 ##### s2kparams [2] OCTET STRING OPTIONAL,
283 ##### KrbSalt ::= SEQUENCE {
284 ##### type [0] Int32,
285 ##### salt [1] OCTET STRING OPTIONAL
288 ##### EncryptionKey ::= SEQUENCE {
289 ##### keytype [0] Int32,
290 ##### keyvalue [1] OCTET STRING
292 </artwork></figure></t>
297 NAME 'krbTicketPolicy'
298 EQUALITY integerMatch
299 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
303 This attribute is related to section 6.4 of the Information Model. It
304 defines the flags that a user is allowed or required to use in a ticket
307 #krb5KDCFlagsSyntax SYNTAX ::= {
308 # WITH SYNTAX INTEGER
309 #-- initial(0), -- require as-req
310 #-- forwardable(1), -- may issue forwardable
311 #-- proxiable(2), -- may issue proxiable
312 #-- renewable(3), -- may issue renewable
313 #-- postdate(4), -- may issue postdatable
314 #-- server(5), -- may be server
315 #-- client(6), -- may be client
316 #-- invalid(7), -- entry is invalid
317 #-- require-preauth(8), -- must use preauth
318 #-- change-pw(9), -- change password service
319 #-- require-hwauth(10), -- must use hwauth
320 #-- ok-as-delegate(11), -- as in TicketFlags
321 #-- user-to-user(12), -- may use user-to-user auth
322 #-- immutable(13) -- may not be deleted
323 # ID { 1.3.6.1.4.1.5322.10.0.1 }
332 EQUALITY octetStringMatch
333 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
335 This attribute holds arbitrary data that may be needed by a particular
336 implementation. The values are encoded in ASN.1 DER.
338 ##### The format of the values for this attribute is explained below,
339 ##### ExtraData ::= SEQUENCE {
340 ##### tag [0] OCTET STRING,
341 ##### data [1] OCTET STRING
346 The following four attributes are outside the scope of the Information Model
347 but may be useful in some deployments.
351 NAME 'krbPrincNamingAttr'
352 EQUALITY objectIdentifierMatch
353 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
356 This attribute records what attribute will be used to name
357 newly created principal entries.
361 NAME 'krbPrincContainer'
362 DESC 'DN of container entry for principals'
363 SUP distinguishedName
366 This attribute points to the container entry under which
367 new principal entries will be created.
372 DESC 'DN of password policy subentry'
373 SUP distinguishedName
376 This attribute points to the LDAP password policy subentry
377 containing the policy that should be applied to Kerberos principals.
379 Note that in LDAP servers with full subentry support, the subentry's
380 subtree search specification defines what entries the subentry applies
381 to, so this attribute is unnecessary; it is provided merely for
382 informational purposes.
387 DESC 'LDAP search parameters for locating principals'
390 This attribute contains LDAP URIs that the KDC will search when
391 locating principals. The URI values must conform to the syntax
392 defined in <xref target="RFC4516"/>. As a special case, the URI
393 prefix "ldap:///" is taken to mean the current LDAP server.
396 <section anchor="classdefs" title="Class Definitions">
397 <t>This section contains class definitions to be implemented by KDCs
398 supporting the schema.</t>
402 ( KRBOC.1 NAME 'krbKDCInfo' SUP top AUXILIARY
403 MAY ( krbTicketMaxLife $ krbTicketMaxRenewal $
404 krbEncSaltTypes $ krbTicketPolicy $
405 krbKeySet $ krbKeyVersion ) )
410 ( KRBOC.2 NAME 'krbPrincipal' SUP krbKDCInfo AUXILIARY
411 MUST ( krbPrincipalName )
412 MAY ( krbPrincipalAliases $ krbPrincipalRealm $
420 ( KRBOC.3 NAME 'krbRealm' SUP krbKDCInfo AUXILIARY
421 MUST ( krbRealmName )
422 MAY ( krbPrincNamingAttr $ krbPrincContainer $
423 krbPwdPolicy $ krbLDAPURI ) )
426 Note that in a krbRealm object the krbKeySet and krbKeyVersion
427 attributes actually reflect the Master key for the realm. In this
428 case the krbKeySet's mkvno field and all other optional fields
432 <section anchor="impl" title="Implementation Details">
433 <t>Since the LDAP Password Policy is intimately involved in the
434 security mechanisms of this proposal, the directory should be treated
435 as more than just a passive data store. (The KDC can certainly read
436 the policy attributes and evaluate them itself, but that would mean
437 needlessly duplicating all of the functionality that is already
438 implemented in the directory server.) This means that for every
439 Kerberos authentication being serviced, a corresponding LDAP
440 operation must also be performed, in order to allow the password
441 policy mechanisms to operate.</t>
442 <t>The mechanism outlined here assumes that the plain LDAP credentials
443 and the Kerberos credentials are unified (or at least synchronized). In
444 that case, for every incoming Kerberos authentication request, the KDC
445 can issue an LDAP Compare request using the known credentials of
446 the user and the LDAP Password Policy control. The result of the request
447 will carry any relevant error codes if the account is disabled, the
448 password is expired, or various other failures. If preauthentication is
449 in use and the request is invalid, a Compare with known invalid
450 credentials may be used to update the password policy state.</t>
451 <section title="Model Details">
452 <t>A number of data elements described in the Information Model are
453 delegated to the LDAP DSA for management. Details of their
454 usage are described here.</t>
455 <section title="principalNotUsedBefore">
456 <t>Section 6.1.1.2 of the Information Model. This corresponds to the
457 pwdStartTime attribute. If the KDC is using LDAP requests to operate the
458 Password Policy mechanism then it does not need to reference or manipulate
459 this attribute directly.</t>
461 <section title="principalNotUsedAfter">
462 <t>Section 6.1.1.3 of the Information Model. This corresponds to the
463 pwdEndTime attribute. If the KDC is using LDAP requests to operate the
464 Password Policy mechanism then it does not need to reference or manipulate
465 this attribute directly.</t>
467 <section title="principalIsDisabled">
468 <t>Section 6.1.1.4 of the Information Model.
469 If the KDC is using LDAP requests to operate the
470 Password Policy mechanism then it does not need to reference or manipulate
471 this attribute directly. Otherwise, this effect is controlled by setting
472 the pwdStartTime attribute to a value greater than or equal to the
473 pwdEndTime attribute.</t>
475 <section title="principalNumberOfFailedAuthenticationAttempts">
476 <t>Section 6.1.1.5 of the Information Model.
477 If the KDC is using LDAP requests to operate the
478 Password Policy mechanism then it does not need to reference or manipulate
479 this attribute directly. Otherwise, this value is obtained by counting the
480 number of values stored in the pwdFailureTime attribute.</t>
482 <section title="principalLastFailedAuthentication">
483 <t>Section 6.1.1.6 of the Information Model.
484 If the KDC is using LDAP requests to operate the
485 Password Policy mechanism then it does not need to reference or manipulate
486 this attribute directly. Otherwise, this value is obtained by retrieving the
487 values stored in the pwdFailureTime attribute and selecting the most recent value.</t>
489 <section title="principalLastSuccessfulAuthentication">
490 <t>Section 6.1.1.7 of the Information Model. This corresponds to the
491 pwdLastSuccess attribute.
492 If the KDC is using LDAP requests to operate the
493 Password Policy mechanism then it does not need to reference or manipulate
494 this attribute directly.</t>
496 <section title="principalLastCredentialChangeTime">
497 <t>Section 6.1.1.8 of the Information Model. This corresponds to the
498 pwdChangedTime attribute.
499 If the KDC uses the LDAP <xref target="RFC3062">Password Modify</xref> request
500 then it does not need to reference or manipulate
501 this attribute directly.</t>
503 <section title="principalCreateTime">
504 <t>Section 6.1.1.9 of the Information Model. This corresponds to the
505 createTimestamp attribute.
506 The KDC does not need to reference or manipulate this attribute directly.</t>
508 <section title="principalModifyTime">
509 <t>Section 6.1.1.10 of the Information Model. This corresponds to the
510 modifyTimestamp attribute.
511 The KDC does not need to reference or manipulate this attribute directly.</t>
514 <section title="KeySet details">
515 <t>The krbKeySet attribute is multi-valued but it is expected that
516 it will usually only contain one value. During a password change operation
517 the KDC may choose to keep one previous value present to allow currently
518 active clients to continue to operate using the previous key. How long to
519 retain this old password is unspecified here. Note also that the LDAP
520 Password Policy mechanism already has provisions for password history
521 management, so the krbKeySet attribute should not be used for
522 long-term password history tracking.</t>
525 <section anchor="security" title="Security Considerations">
526 <t>This entire document is concerned with an implementation of a secure
527 distributed authentication mechanism. It should be understood that
528 the various keys used here are all sensitive pieces of data and must
529 be adequately protected using access controls and other mechanisms.
530 Likewise all communications between the KDC and DSA must be protected
531 whenever sensitive data is being referenced.</t>
532 <t>In common practice the KDC and DSA have been colocated on a
533 single host and communicated over a local
534 <xref target="I-D.chu-ldap-ldapi">LDAP IPC</xref> session. As such it was
535 implied that the host security was equivalent for both. If a KDC is
536 configured to use a remote DSA, the remote host should be
537 configured with at least the same level of security as the KDC host,
538 and a secure channel MUST be used for the LDAP session.</t>
539 <t>Storing the Master Key in the DSA makes it even more
540 crucial that the LDAP host, service, and data files be adequately
541 protected. Backups of the LDAP database should also be encrypted to
542 protect the integrity of any keys contained therein.</t>
544 <section title="IANA Considerations">
545 <t>In accordance with <xref target="RFC4520"/> the following registrations
547 <section title="Object Identifiers">
548 <t>[[List of OIDs, registration template goes here...]]</t>
550 <section title="LDAP Descriptors">
551 <t>[[List of Attribute and ObjectClass descriptors, template goes here...]]</t>
554 <section anchor="acks" title="Acknowledgements">
555 <t>Thanks to Love Hörnquist Åstrand
556 from Apple Corp. for the initial feedback on this document.</t>
560 <references title="Normative References">
569 <reference anchor="X.680">
571 <title>Abstract Syntax Notation One (ASN.1): Specification of basic notation</title>
573 <organization abbrev="ITU-T">
574 International Telecommunications Union</organization>
576 <date month="July" year="2002" />
578 <seriesInfo name="ITU-T Recommendation" value="X.680" />
581 <reference anchor="X.690">
583 <title>Information Technology - ASN.1 encoding rules: Specification of Basic
584 Encoding Rules (BER), Canonical Encoding Rules (CER) and
585 Distinguished Encoding Rules (DER)</title>
587 <organization abbrev="ITU-T">
588 International Telecommunications Union</organization>
590 <date month="July" year="2002" />
592 <seriesInfo name="ITU-T Recommendation" value="X.690" />
595 <references title="Informative References">