


Network Working Group                                             H. Chu
Internet-Draft                                               Symas Corp.
Intended status: Informational                          October 15, 2009
Expires: April 18, 2010


              An LDAP Schema for Kerberos KDC Information
                      draft-chu-ldap-kdc-schema-00

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on April 18, 2010.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents in effect on the date of
   publication of this document (http://trustee.ietf.org/license-info).
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.









Chu                      Expires April 18, 2010                 [Page 1]

Internet-Draft               LDAP KDC Schema                October 2009


Abstract

   This document describes an LDAP [RFC4511] schema for implementing the
   Kerberos 5 [RFC4120] KDC Information Model
   [I-D.ietf-krb-wg-kdc-model].  It also defines additional elements
   which are not covered by the Information Model, but are already in
   common use.












































Chu                      Expires April 18, 2010                 [Page 2]

Internet-Draft               LDAP KDC Schema                October 2009


1.  Background and Motivation

   Both Kerberos and LDAP are frequently used separately for distributed
   authentication.  They can also be used in combination, but typically
   their user databases remained separate.  This distinction in
   databases causes unnecessary duplication of data and administration
   overhead.  As such it is desirable for both systems to share a single
   database.  Since the LDAP data model is more general it is most
   appropriate to store the Kerberos data in LDAP.

   A number of Kerberos implementations already have support for using
   LDAP as their KDC backing store.  However, each implementation uses
   its own schema, and the multiple schemas are mutually incompatible.
   For the sake of interoperability and administrative ease, it is
   important to define a single standard schema that can be used
   uniformly by all Kerberos KDC implementations and interoperates with
   existing LDAP specifications.


































Chu                      Expires April 18, 2010                 [Page 3]

Internet-Draft               LDAP KDC Schema                October 2009


2.  General Issues

2.1.  Terminology

   The key words "MUST", "SHOULD", and "MAY" used in this document are
   to be interpreted as described in [RFC2119].

   The OIDs defined below are derived from TBD.OID:
   KRBSYN = TBD.OID.0
   KRBATTR = TBD.OID.1
   KRBOC = TBD.OID.2

2.2.  Schema

   The attributes and classes defined in this document are summarized
   below.

2.2.1.  Attributes

   The following attributes are defined in this document:

      krbPrincipalName
      krbPrincipalAliases
      krbTicketMaxLife
      krbTicketMaxRenewal
      krbEncSaltTypes
      krbRealmName
      krbPrincipalRealm
      krbKeySet
      krbKeyVersion
      krbTicketPolicy
      krbExtraData
      krbPrincNamingAttr
      krbPrincContainer
      krbPwdPolicy
      krbLDAPURI

   Additionally, some of the attributes defined in LDAP Password Policy
   [I-D.behera-ldap-password-policy] are required.

   Note: The MIT/Novell schema includes a number of elements for storing
   the KDC configuration in LDAP.  The Information Model doesn't cover
   these aspects, so I've omitted them for now.  Do we need to add them?

2.2.2.  Object Classes

   The following object classes are defined in this document:




Chu                      Expires April 18, 2010                 [Page 4]

Internet-Draft               LDAP KDC Schema                October 2009


      krbKDCInfo
      krbPrincipal
      krbRealm
















































Chu                      Expires April 18, 2010                 [Page 5]

Internet-Draft               LDAP KDC Schema                October 2009


3.  Attribute Definitions

   This section contains attribute definitions to be implemented by KDCs
   supporting this schema:

     ( KRBATTR.1
                   NAME 'krbPrincipalName'
                   DESC 'Canonical principal name'
                   EQUALITY caseExactIA5Match
                   SUBSTR caseExactSubstringsMatch
                   SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
                   SINGLE-VALUE )


     ( KRBATTR.2
                   NAME 'krbPrincipalAliases'
                   SUP krbPrincipalName )

   These attributes implement section 6.1.1.1 of the Information Model.
   The krbPrincipalName attribute contains the canonical name of the
   principal.  Any aliases are stored in the krbPrincipalAliases
   attribute.  Since the krbPrincipalAliases attribute is a subtype of
   the krbPrincipalName attribute, a search on krbPrincipalName will
   also search the aliases.


     ( KRBATTR.3
                   NAME 'krbTicketMaxLife'
                   EQUALITY integerMatch
                   ORDERING integerOrderingMatch
                   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
                   SINGLE-VALUE )

   This attribute implements section 6.1.1.11 of the Information Model.
   It holds the maximum ticket lifetime in seconds for a principal.


     ( KRBATTR.4
                   NAME 'krbTicketMaxRenewal'
                   EQUALITY integerMatch
                   ORDERING integerOrderingMatch
                   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
                   SINGLE-VALUE )

   This attribute implements section 6.1.1.12 of the Information Model.
   It holds the maximum time in seconds a ticket may be renewed for.





Chu                      Expires April 18, 2010                 [Page 6]

Internet-Draft               LDAP KDC Schema                October 2009


     ( KRBATTR.5
                   NAME 'krbEncSaltTypes'
                   EQUALITY caseIgnoreMatch
                   SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

   This attribute implements section 6.1.1.13 of the Information Model.
   Holds the allowed encryption/salt type combinations for this
   principal.  If empty or absent any combination supported by the
   implementation is allowed.
   Note that sections 6.1.1.2 thru 6.1.1.10 are implemented using the
   LDAP Password Policy schema.


     ( KRBATTR.6
                   NAME 'krbRealmName'
                   EQUALITY octetStringMatch
                   SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )


     ( KRBATTR.7
                   NAME 'krbPrincipalRealm'
                   DESC 'DN of krbRealm entry'
                   SUP distinguishedName )

   These attributes provide information about the current realm.  They
   provide the minimal set of information required to implement section
   6.1.3 of the Information Model.


     ( KRBATTR.8
                   NAME 'krbKeyVersion'
                   EQUALITY integerMatch
                   ORDERING integerOrderingMatch
                   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
                   SINGLE-VALUE )

   This attribute implements section 6.2.1.1 of the Information Model.
   It stores the version number of the current key.


     ( KRBATTR.9
                   NAME 'krbKeySet'
                   EQUALITY octetStringMatch
                   SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

   This attribute implements sections 6.3.1.1 thru 6.3.1.4 of the
   Information Model.  Sections 6.3.1.5 thru 6.3.1.7 are implemented
   using the LDAP Password Policy schema.  This attribute holds the



Chu                      Expires April 18, 2010                 [Page 7]

Internet-Draft               LDAP KDC Schema                October 2009


   principal's keys optionally encrypted with the Master Key. The
   attribute is encoded using ASN.1 [X.680] DER [X.690].

   ##### The format of the value for this attribute is explained below,
   ##### KrbKeySet ::= SEQUENCE {
   ##### kvno                      [0] UInt32,
   ##### mkvno                     [1] UInt32 OPTIONAL,
   ##### keys                      [2] SEQUENCE OF KrbKey,
   ##### ...
   ##### }
   #####
   ##### KrbKey ::= SEQUENCE {
   ##### salt      [0] KrbSalt OPTIONAL,
   ##### key       [1] EncryptionKey,
   ##### s2kparams [2] OCTET STRING OPTIONAL,
   ##### ...
   ##### }
   #####
   ##### KrbSalt ::= SEQUENCE {
   ##### type      [0] Int32,
   ##### salt      [1] OCTET STRING OPTIONAL
   ##### }
   #####
   ##### EncryptionKey ::= SEQUENCE {
   ##### keytype   [0] Int32,
   ##### keyvalue  [1] OCTET STRING
   ##### }


     ( KRBATTR.10
                   NAME 'krbTicketPolicy'
                   EQUALITY integerMatch
                   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
                   SINGLE-VALUE )

   This attribute is related to section 6.4 of the Information Model.
   It defines the flags that a user is allowed or required to use in a
   ticket request.













Chu                      Expires April 18, 2010                 [Page 8]

Internet-Draft               LDAP KDC Schema                October 2009


   #krb5KDCFlagsSyntax SYNTAX ::= {
   #   WITH SYNTAX            INTEGER
   #--        initial(0),             -- require as-req
   #--        forwardable(1),         -- may issue forwardable
   #--        proxiable(2),           -- may issue proxiable
   #--        renewable(3),           -- may issue renewable
   #--        postdate(4),            -- may issue postdatable
   #--        server(5),              -- may be server
   #--        client(6),              -- may be client
   #--        invalid(7),             -- entry is invalid
   #--        require-preauth(8),     -- must use preauth
   #--        change-pw(9),           -- change password service
   #--        require-hwauth(10),     -- must use hwauth
   #--        ok-as-delegate(11),     -- as in TicketFlags
   #--        user-to-user(12),       -- may use user-to-user auth
   #--        immutable(13)           -- may not be deleted
   #   ID                     { 1.3.6.1.4.1.5322.10.0.1 }
   #}


     ( KRBATTR.11
                   NAME 'krbExtraData'
                   EQUALITY octetStringMatch
                   SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

   This attribute holds arbitrary data that may be needed by a
   particular implementation.  The values are encoded in ASN.1 DER.

   ##### The format of the values for this attribute is explained below,
   ##### ExtraData ::= SEQUENCE {
   ##### tag       [0] OCTET STRING,
   ##### data      [1] OCTET STRING
   ##### }

   The following four attributes are outside the scope of the
   Information Model but may be useful in some deployments.

     ( KRBATTR.12
                   NAME 'krbPrincNamingAttr'
                   EQUALITY objectIdentifierMatch
                   SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
                   SINGLE-VALUE )

   This attribute records what attribute will be used to name newly
   created principal entries.






Chu                      Expires April 18, 2010                 [Page 9]

Internet-Draft               LDAP KDC Schema                October 2009


     ( KRBATTR.13
                   NAME 'krbPrincContainer'
                   DESC 'DN of container entry for principals'
                   SUP distinguishedName
                   SINGLE-VALUE )

   This attribute points to the container entry under which new
   principal entries will be created.

     ( KRBATTR.14
                   NAME 'krbPwdPolicy'
                   DESC 'DN of password policy subentry'
                   SUP distinguishedName
                   SINGLE-VALUE )

   This attribute points to the LDAP password policy subentry containing
   the policy that should be applied to Kerberos principals.  Note that
   in LDAP servers with full subentry support, the subentry's subtree
   search specification defines what entries the subentry applies to, so
   this attribute is unnecessary; it is provided merely for
   informational purposes.

     ( KRBATTR.15
                   NAME 'krbLDAPURI'
                   DESC 'LDAP search parameters for locating principals'
                   SUP labeledURI )

   This attribute contains LDAP URIs that the KDC will search when
   locating principals.  The URI values must conform to the syntax
   defined in [RFC4516].  As a special case, the URI prefix "ldap:///"
   is taken to mean the current LDAP server.




















Chu                      Expires April 18, 2010                [Page 10]

Internet-Draft               LDAP KDC Schema                October 2009


4.  Class Definitions

   This section contains class definitions to be implemented by KDCs
   supporting the schema.


     ( KRBOC.1 NAME 'krbKDCInfo' SUP top AUXILIARY
         MAY ( krbTicketMaxLife $ krbTicketMaxRenewal $
           krbEncSaltTypes $ krbTicketPolicy $
           krbKeySet $ krbKeyVersion ) )


     ( KRBOC.2 NAME 'krbPrincipal' SUP krbKDCInfo AUXILIARY
         MUST ( krbPrincipalName )
         MAY ( krbPrincipalAliases $ krbPrincipalRealm $
           krbExtraData ) )


     ( KRBOC.3 NAME 'krbRealm' SUP krbKDCInfo AUXILIARY
         MUST ( krbRealmName )
         MAY ( krbPrincNamingAttr $ krbPrincContainer $
           krbPwdPolicy $ krbLDAPURI ) )

   Note that in a krbRealm object the krbKeySet and krbKeyVersion
   attributes actually reflect the Master key for the realm.  In this
   case the krbKeySet's mkvno field and all other optional fields are
   omitted.
























Chu                      Expires April 18, 2010                [Page 11]

Internet-Draft               LDAP KDC Schema                October 2009


5.  Implementation Details

   Since the LDAP Password Policy is intimately involved in the security
   mechanisms of this proposal, the directory should be treated as more
   than just a passive data store.  (The KDC can certainly read the
   policy attributes and evaluate them itself, but that would mean
   needlessly duplicating all of the functionality that is already
   implemented in the directory server.)  This means that for every
   Kerberos authentication being serviced, a corresponding LDAP
   operation must also be performed, in order to allow the password
   policy mechanisms to operate.

   The mechanism outlined here assumes that the plain LDAP credentials
   and the Kerberos credentials are unified (or at least synchronized).
   In that case, for every incoming Kerberos authentication request, the
   KDC can issue an LDAP Compare request using the known credentials of
   the user and the LDAP Password Policy control.  The result of the
   request will carry any relevant error codes if the account is
   disabled, the password is expired, or various other failures.  If
   preauthentication is in use and the request is invalid, a Compare
   with known invalid credentials may be used to update the password
   policy state.

5.1.  Model Details

   A number of data elements described in the Information Model are
   delegated to the LDAP DSA for management.  Details of their usage are
   described here.

5.1.1.  principalNotUsedBefore

   Section 6.1.1.2 of the Information Model.  This corresponds to the
   pwdStartTime attribute.  If the KDC is using LDAP requests to operate
   the Password Policy mechanism then it does not need to reference or
   manipulate this attribute directly.

5.1.2.  principalNotUsedAfter

   Section 6.1.1.3 of the Information Model.  This corresponds to the
   pwdEndTime attribute.  If the KDC is using LDAP requests to operate
   the Password Policy mechanism then it does not need to reference or
   manipulate this attribute directly.

5.1.3.  principalIsDisabled

   Section 6.1.1.4 of the Information Model.  If the KDC is using LDAP
   requests to operate the Password Policy mechanism then it does not
   need to reference or manipulate this attribute directly.  Otherwise,



Chu                      Expires April 18, 2010                [Page 12]

Internet-Draft               LDAP KDC Schema                October 2009


   this effect is controlled by setting the pwdStartTime attribute to a
   value greater than or equal to the pwdEndTime attribute.

5.1.4.  principalNumberOfFailedAuthenticationAttempts

   Section 6.1.1.5 of the Information Model.  If the KDC is using LDAP
   requests to operate the Password Policy mechanism then it does not
   need to reference or manipulate this attribute directly.  Otherwise,
   this value is obtained by counting the number of values stored in the
   pwdFailureTime attribute.

5.1.5.  principalLastFailedAuthentication

   Section 6.1.1.6 of the Information Model.  If the KDC is using LDAP
   requests to operate the Password Policy mechanism then it does not
   need to reference or manipulate this attribute directly.  Otherwise,
   this value is obtained by retrieving the values stored in the
   pwdFailureTime attribute and selecting the most recent value.

5.1.6.  principalLastSuccessfulAuthentication

   Section 6.1.1.7 of the Information Model.  This corresponds to the
   pwdLastSuccess attribute.  If the KDC is using LDAP requests to
   operate the Password Policy mechanism then it does not need to
   reference or manipulate this attribute directly.

5.1.7.  principalLastCredentialChangeTime

   Section 6.1.1.8 of the Information Model.  This corresponds to the
   pwdChangedTime attribute.  If the KDC uses the LDAP Password Modify
   [RFC3062] request then it does not need to reference or manipulate
   this attribute directly.

5.1.8.  principalCreateTime

   Section 6.1.1.9 of the Information Model.  This corresponds to the
   createTimestamp attribute.  The KDC does not need to reference or
   manipulate this attribute directly.

5.1.9.  principalModifyTime

   Section 6.1.1.10 of the Information Model.  This corresponds to the
   modifyTimestamp attribute.  The KDC does not need to reference or
   manipulate this attribute directly.







Chu                      Expires April 18, 2010                [Page 13]

Internet-Draft               LDAP KDC Schema                October 2009


5.2.  KeySet details

   The krbKeySet attribute is multi-valued but it is expected that it
   will usually only contain one value.  During a password change
   operation the KDC may choose to keep one previous value present to
   allow currently active clients to continue to operate using the
   previous key.  How long to retain this old password is unspecified
   here.  Note also that the LDAP Password Policy mechanism already has
   provisions for password history management, so the krbKeySet
   attribute should not be used for long-term password history tracking.









































Chu                      Expires April 18, 2010                [Page 14]

Internet-Draft               LDAP KDC Schema                October 2009


6.  Security Considerations

   This entire document is concerned with an implementation of a secure
   distributed authentication mechanism.  It should be understood that
   the various keys used here are all sensitive pieces of data and must
   be adequately protected using access controls and other mechanisms.
   Likewise all communications between the KDC and DSA must be protected
   whenever sensitive data is being referenced.

   In common practice the KDC and DSA have been colocated on a single
   host and communicated over a local LDAP IPC [I-D.chu-ldap-ldapi]
   session.  As such it was implied that the host security was
   equivalent for both.  If a KDC is configured to use a remote DSA, the
   remote host should be configured with at least the same level of
   security as the KDC host, and a secure channel MUST be used for the
   LDAP session.

   Storing the Master Key in the DSA makes it even more crucial that the
   LDAP host, service, and data files be adequately protected.  Backups
   of the LDAP database should also be encrypted to protect the
   integrity of any keys contained therein.






























Chu                      Expires April 18, 2010                [Page 15]

Internet-Draft               LDAP KDC Schema                October 2009


7.  IANA Considerations

   In accordance with [RFC4520] the following registrations are
   requested.

7.1.  Object Identifiers

   [[List of OIDs, registration template goes here...]]

7.2.  LDAP Descriptors

   [[List of Attribute and ObjectClass descriptors, template goes
   here...]]






































Chu                      Expires April 18, 2010                [Page 16]

Internet-Draft               LDAP KDC Schema                October 2009


8.  Acknowledgements

   Thanks to Simo Sorce from Red Hat Inc. and Love Hoernquist Aestrand
   from Apple Corp. for their feedback on this document.















































Chu                      Expires April 18, 2010                [Page 17]

Internet-Draft               LDAP KDC Schema                October 2009


9.  References

9.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3062]  Zeilenga, K., "LDAP Password Modify Extended Operation",
              RFC 3062, February 2001.

   [RFC4120]  Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
              Kerberos Network Authentication Service (V5)", RFC 4120,
              July 2005.

   [RFC4511]  Sermersheim, J., "Lightweight Directory Access Protocol
              (LDAP): The Protocol", RFC 4511, June 2006.

   [RFC4516]  Smith, M. and T. Howes, "Lightweight Directory Access
              Protocol (LDAP): Uniform Resource Locator", RFC 4516,
              June 2006.

   [RFC4520]  Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
              Considerations for the Lightweight Directory Access
              Protocol (LDAP)", BCP 64, RFC 4520, June 2006.

   [I-D.behera-ldap-password-policy]
              Sermersheim, J., Poitou, L., and H. Chu, "Password Policy
              for LDAP Directories",
              draft-behera-ldap-password-policy-10 (work in progress),
              August 2009.

   [I-D.ietf-krb-wg-kdc-model]
              Johansson, L., "An information model for Kerberos version
              5", draft-ietf-krb-wg-kdc-model-05 (work in progress),
              July 2009.

   [X.680]    International Telecommunications Union, "Abstract Syntax
              Notation One (ASN.1): Specification of basic notation",
              ITU-T Recommendation X.680, July 2002.

   [X.690]    International Telecommunications Union, "Information
              Technology - ASN.1 encoding rules: Specification of Basic
              Encoding Rules (BER),  Canonical Encoding Rules (CER) and
              Distinguished Encoding Rules (DER)", ITU-T
              Recommendation X.690, July 2002.






Chu                      Expires April 18, 2010                [Page 18]

Internet-Draft               LDAP KDC Schema                October 2009


9.2.  Informative References

   [I-D.chu-ldap-ldapi]
              Chu, H., "Using LDAP Over IPC Mechanisms",
              draft-chu-ldap-ldapi-00 (work in progress), March 2007.














































Chu                      Expires April 18, 2010                [Page 19]

Internet-Draft               LDAP KDC Schema                October 2009


Author's Address

   Howard Chu
   Symas Corp.
   18740 Oxnard Street, Suite 313A
   Tarzana, California  91356
   US

   Phone: +1 818 757-7087
   Email: hyc@symas.com
   URI:   http://www.symas.com








































Chu                      Expires April 18, 2010                [Page 20]

