Management of heimdal kerberos with ldap

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Management of heimdal kerberos with ldap

Alejandro Escanero Blanco
I'm trying to make a external php script to add, remove and change password of kerberos
Principals stored in a openLdap server.

I try to create a valid SHA1 key to use with kerberos, for example, from the keytab, i have:
# ktutil --verbose list --keys
FILE:/etc/krb5.keytab:
...
2  des3-cbc-sha1  [hidden email]                 2005-06-23
7c64d54af8984afdd06bc45e0434b30d58528ca2d62aba15
...

But no combination of password (is "123456"), realm and name give me the same key.

I try some tools like sha1sum and mhash, but i don't have luck in it.




--
_________________________________________________________________________________________________________
Alejandro Escanero Blanco
Administrador Sistemas
Centro Europeo De Congresos
Tel. +34 952058050
e-mail: [hidden email]
_________________________________________________________________________________________________________

Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene
información de carácter confidencial
+exclusivamente dirigida a su destinatario o destinatarios.
Queda prohibida su divulgación, copia o distribución, total o parcial, a terceros sin la
previa autorización escrita del
+remitente.
En caso de haber recibido este correo electrónico por error, se ruega notifíquese
inmediatamente esta circunstancia mediante
+reenvío a la dirección electrónica del remitente y borre el mensaje original junto con
sus ficheros anexos, sin grabarlos
+total o parcialmente.

This electronic mail and whatever files are attached thereto, contain confidential
information solely and exclusively for
+the addressee or addressees.
Its total or partial propagation, reproduction and distribution to third parties is
strictly forbidden without prior written
+authorization by the sender.
In the event of erroneous receipt of this electronic mail, kindly advise the sender
immediately by forwarding the message to
+sender, and erase the original message together with attached files, if any.
Please do not copy, totally or partially, the contents of this electronic mail.
Thank you for your cooperation.

Reply | Threaded
Open this post in threaded view
|

Re: Management of heimdal kerberos with ldap

Love Hörnquist Åstrand

Alejandro Escanero Blanco <[hidden email]> writes:

> I'm trying to make a external php script to add, remove and change
> password of kerberos Principals stored in a openLdap server.

krb5Key entry contains an DER encode Key structure (from lib/hdb/hdb.asn1)

Love


attachment0 (487 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Management of heimdal kerberos with ldap

Howard Chu
In reply to this post by Alejandro Escanero Blanco
Alejandro Escanero Blanco wrote:
> I'm trying to make a external php script to add, remove and change
> password of kerberos Principals stored in a openLdap server.

Use the smbk5pwd overlay that I wrote and just do normal LDAP
passwordModify operations. The smbk5pwd overlay is now part of the
OpenLDAP 2.3 release (in the contrib/slapd-modules directory).

--
   -- Howard Chu
   Chief Architect, Symas Corp.       Director, Highland Sun
   http://www.symas.com               http://highlandsun.com/hyc
   Symas: Premier OpenSource Development and Support
Reply | Threaded
Open this post in threaded view
|

Re: Management of heimdal kerberos with ldap

Alejandro Escanero Blanco
Howard Chu wrote:
> Alejandro Escanero Blanco wrote:
>
> Use the smbk5pwd overlay that I wrote and just do normal LDAP
> passwordModify operations. The smbk5pwd overlay is now part of the
> OpenLDAP 2.3 release (in the contrib/slapd-modules directory).
Yes, i look in the smbk5pwd from openldap, but i have the same problem that with
php4-kadm5 (well, i convert it to heimdal cleaning the password policy stuff and compiling
with the heimdal libraries), they are external to php. I want to do all the work from php,
no external utilities must be needed because php directly modify the ldap tree.

I'm trying to do it for add heimdal support to GOsa proyect, it has MIT support, and i can
use the php4-kadm5 modified, but i think that is better modify the ldap tree.

--
_________________________________________________________________________________________________________
Alejandro Escanero Blanco
Administrador Sistemas
Centro Europeo De Congresos
Tel. +34 952058050
e-mail: [hidden email]
_________________________________________________________________________________________________________
Reply | Threaded
Open this post in threaded view
|

Re: Management of heimdal kerberos with ldap

Alejandro Escanero Blanco
In reply to this post by Love Hörnquist Åstrand
Love Hörnquist Åstrand wrote:

> Alejandro Escanero Blanco <[hidden email]> writes:
>
>
>>I'm trying to make a external php script to add, remove and change
>>password of kerberos Principals stored in a openLdap server.
>
>
> krb5Key entry contains an DER encode Key structure (from lib/hdb/hdb.asn1)
>
> Love
>

Thanks, i was looking in the bad code (exactly in crypto.c), because i think that krb5Key
was HMAC SHA1, or something like this.

I'll better try to debug the heimdal code (0.6.3) to see how the krb5Key is created, thanks.

--
_________________________________________________________________________________________________________
Alejandro Escanero Blanco
Administrador Sistemas
Centro Europeo De Congresos
Tel. +34 952058050
e-mail: [hidden email]
_________________________________________________________________________________________________________