|
Home > Archive > Apache Directory Project > June 2007 > Kerberos Kadmin GUI
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Kerberos Kadmin GUI
|
|
| Emmanuel Lecharny 2007-06-20, 7:11 pm |
| Hi guys,
IBM has recently released (27/4/2007) a Kerberos KAdmin GUI, a SWT
implementation :
http://www.alphaworks.ibm.com/tech/nasgui
It seems to be an interesting tool, and I'm thinking we should have such
a GUI in Apache Directory Studio.
Wdyt ?
Emmanuel
| |
| Enrique Rodriguez 2007-06-21, 7:11 pm |
| On 6/20/07, Emmanuel Lecharny <elecharny-1oDqGaOF3Lkdnm+yROfE0A@public.gmane.org> wrote:
> Hi guys,
>
> IBM has recently released (27/4/2007) a Kerberos KAdmin GUI, a SWT
> implementation :
> http://www.alphaworks.ibm.com/tech/nasgui
>
> It seems to be an interesting tool, and I'm thinking we should have such
> a GUI in Apache Directory Studio.
>
> Wdyt ?
I think it would be great if AD Studio supported Kerberos
administration. However, this IBM tool is using the Kadmin protocol,
which is specific to the MIT Kerberos implementation. I think with
the protocols we have, we shouldn't support kadmin. I, for one, won't
be putting any effort towards Kadmin. You'll note the IBM tool is
using JNI to MIT's library.
You can get a feel for the basic Kerberos principal functions we need
from this Kadmin overview.
http://docs.hp.com/en/5991-7685/ch08s37.html
We can do most of what we need with the LDAP protocol and our X.500
ACI. A few additional functions are covered by the upcoming
Set/Change Protocol v2, an update of the Change Password protocol.
As for timing, I think it makes sense to hold off a bit longer. There
are 2 RFC's in the works: (1) the aforementioned Set/Change Protocol
v2 and (2) a possible informative RFC regarding an LDAP schema for
Kerberos. The new Set/Change Protocol adds some important key
management functions and the LDAP schema supports many more features
than our existing schema. I think once implementation of these draft
RFC's has stabilized then we can look at adding GUI for principal
admin. I was hoping to get to both of these later this year.
Enrique
| |
| Emmanuel Lecharny 2007-06-21, 7:11 pm |
| Enrique Rodriguez a écrit :
> On 6/20/07, Emmanuel Lecharny <elecharny-1oDqGaOF3Lkdnm+yROfE0A@public.gmane.org> wrote:
>
>
>
> I think it would be great if AD Studio supported Kerberos
> administration. However, this IBM tool is using the Kadmin protocol,
> which is specific to the MIT Kerberos implementation.
I was not thinking specifically to Kadmin, but something more
confortable, as soon as we have some specification to give to our GUI team.
> I think with
> the protocols we have, we shouldn't support kadmin. I, for one, won't
> be putting any effort towards Kadmin. You'll note the IBM tool is
> using JNI to MIT's library.
>
> You can get a feel for the basic Kerberos principal functions we need
> from this Kadmin overview.
>
> http://docs.hp.com/en/5991-7685/ch08s37.html
>
> We can do most of what we need with the LDAP protocol and our X.500
> ACI.
Sure, but I think a GUI is great to have to avoid complex manipulation
of such elements. We already have an ACI editor in Apache Directory
Studio, we just need a specific interface for Kerberos admin, I guess.
The question is what should it looks like, and what funtionalities it
must contains.
> A few additional functions are covered by the upcoming
> Set/Change Protocol v2, an update of the Change Password protocol.
You mean
http://www.ietf.org/internet-drafts...-passwd-06.txt,
I guess.
>
> As for timing, I think it makes sense to hold off a bit longer. There
> are 2 RFC's in the works: (1) the aforementioned Set/Change Protocol
> v2 and (2) a possible informative RFC regarding an LDAP schema for
> Kerberos. The new Set/Change Protocol adds some important key
> management functions and the LDAP schema supports many more features
> than our existing schema. I think once implementation of these draft
> RFC's has stabilized then we can look at adding GUI for principal
> admin. I was hoping to get to both of these later this year.
It would be good to have a page like
http://cwiki.apache.org/confluence/...ap+related+RFCs
where we have a clear view of what has been implemented, and whot is
not, including a roadmap for the drafts we intend to implement.
Here is a lits of all the kerberos working group drafts and RFCs :
Generating KDC Referrals to Locate Kerberos Realms
<http://www.ietf.org/internet-drafts...eferrals-09.txt>
(36370 bytes)
Kerberos Set/Change Key/Password Protocol Version 2
<http://www.ietf.org/internet-drafts...t-passwd-06.txt>
(32882 bytes)
A Generalized Framework for Kerberos Pre-Authentication
<http://www.ietf.org/internet-drafts...ramework-05.txt>
(84108 bytes)
The Kerberos Network Authentication Service (Version 5)
<http://www.ietf.org/internet-drafts...c1510ter-04.txt>
(222275 bytes)
ECC Support for PKINIT
<http://www.ietf.org/internet-drafts...init-ecc-03.txt> (21007
bytes)
Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges Over
TCP
<http://www.ietf.org/internet-drafts...xpansion-02.txt>
(14367 bytes)
Anonymity Support for Kerberos
<http://www.ietf.org/internet-drafts...-wg-anon-03.txt>
(23897 bytes)
Additional Kerberos Naming Constraints
<http://www.ietf.org/internet-drafts...g-naming-03.txt>
(13553 bytes)
PK-INIT Cryptographic Algorithm Agility
<http://www.ietf.org/internet-drafts...-agility-02.txt>
(29698 bytes)
Kerberos Version 5 GSS-API Channel Binding Hash Agility
<http://www.ietf.org/internet-drafts...-agility-01.txt>
(12607 bytes)
Request For Comments:
AES Encryption for Kerberos 5 (RFC 3962)
<http://www.ietf.org/rfc/rfc3962.txt> (32844 bytes)
Encryption and Checksum Specifications for Kerberos 5 (RFC 3961)
<http://www.ietf.org/rfc/rfc3961.txt> (111865 bytes)
The Kerberos Network Authentication Service (V5) (RFC 4120)
<http://www.ietf.org/rfc/rfc4120.txt> (340314 bytes) obsoletes RFC 1510/
updated by RFC 4537
The Kerberos Version 5 Generic Security Service Application Program
Interface (GSS-API) Mechanism: Version 2 (RFC 4121)
<http://www.ietf.org/rfc/rfc4121.txt> (43945 bytes) updates RFC 1964
Kerberos Cryptosystem Negotiation Extension (RFC 4537)
<http://www.ietf.org/rfc/rfc4537.txt> (11166 bytes) updates RFC 4120
Online Certificate Status Protocol (OCSP) Support for Public Key
Cryptography for Initial Authentication in Kerberos (PKINIT) (RFC 4557)
<http://www.ietf.org/rfc/rfc4557.txt> (11593 bytes)
Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
(RFC 4556) <http://www.ietf.org/rfc/rfc4556.txt> (100339 bytes)
Can we have a status for those RFCs and drafts ?
Thanks.
Emmanuel
| |
|
|
| Enrique Rodriguez 2007-06-22, 1:11 am |
| On 6/21/07, Emmanuel Lecharny <elecharny-1oDqGaOF3Lkdnm+yROfE0A@public.gmane.org> wrote:
> Enrique Rodriguez a =E9crit :
>
> Sure, but I think a GUI is great to have to avoid complex manipulation
> of such elements. We already have an ACI editor in Apache Directory
> Studio, we just need a specific interface for Kerberos admin, I guess.
I agree. I don't think users should have to directly manipulate
attributes and know ACI syntax. A tool would be great. My point was
more that the protocol to do this with should be LDAP and not Kadmin.
> ...
> Can we have a status for those RFCs and drafts ?
I will start one here:
http://cwiki.apache.org/confluence/...ros+RFC+Support
Enrique
| |
| Alex Karasulu 2007-06-23, 7:11 am |
| I guess as long as we have a convenient mechanism for adding, removing and
updating Kerberos users and passwords then we should be OK. How this is
done is not that important right now, but may be from a security
perspective.
As long as SASL and SSL are being used via LDAP we can trust such operations
in production environments.
I don't know if the state of the changepw protocol with the new capabilities
you
mentioned are even viable right now but perhaps they will be later in which
case
we can enable 2 separate mechanisms for managing Kerberos users.
Alex
On 6/22/07, Enrique Rodriguez <enriquer9-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
> On 6/21/07, Emmanuel Lecharny <elecharny-1oDqGaOF3Lkdnm+yROfE0A@public.gmane.org> wrote:
>
> I agree. I don't think users should have to directly manipulate
> attributes and know ACI syntax. A tool would be great. My point was
> more that the protocol to do this with should be LDAP and not Kadmin.
>
>
> I will start one here:
>
> http://cwiki.apache.org/confluence/...ros+RFC+Support
>
> Enrique
>
|
|
|
|
|