Home | History | Annotate | Line # | Download | only in hdb 
      1 -- Id
      2 HDB DEFINITIONS ::=
      3 BEGIN
      4 
      5 IMPORTS EncryptionKey, KerberosTime, Principal FROM krb5;
      6 
      7 HDB_DB_FORMAT INTEGER ::= 2	-- format of database, 
      8 				-- update when making changes
      9 
     10 -- these must have the same value as the pa-* counterparts
     11 hdb-pw-salt	INTEGER	::= 3
     12 hdb-afs3-salt	INTEGER	::= 10
     13 
     14 Salt ::= SEQUENCE {
     15 	type[0]		INTEGER (0..4294967295),
     16 	salt[1]		OCTET STRING,
     17 	opaque[2]	OCTET STRING OPTIONAL
     18 }
     19 
     20 Key ::= SEQUENCE {
     21 	mkvno[0]	INTEGER (0..4294967295) OPTIONAL, -- master key version number
     22 	key[1]		EncryptionKey,
     23 	salt[2]		Salt OPTIONAL
     24 }
     25 
     26 Event ::= SEQUENCE {
     27 	time[0]		KerberosTime,
     28 	principal[1]	Principal OPTIONAL
     29 }
     30 
     31 HDBFlags ::= BIT STRING {
     32 	initial(0),			-- require as-req
     33 	forwardable(1),			-- may issue forwardable
     34 	proxiable(2),			-- may issue proxiable
     35 	renewable(3),			-- may issue renewable
     36 	postdate(4),			-- may issue postdatable
     37 	server(5),			-- may be server
     38 	client(6),			-- may be client
     39 	invalid(7),			-- entry is invalid
     40 	require-preauth(8),		-- must use preauth
     41 	change-pw(9),			-- change password service
     42 	require-hwauth(10),		-- must use hwauth
     43 	ok-as-delegate(11),		-- as in TicketFlags
     44 	user-to-user(12),		-- may use user-to-user auth
     45 	immutable(13),			-- may not be deleted
     46 	trusted-for-delegation(14),	-- Trusted to print forwardabled tickets
     47 	allow-kerberos4(15),		-- Allow Kerberos 4 requests
     48 	allow-digest(16),		-- Allow digest requests
     49 	locked-out(17),			-- Account is locked out,
     50 					-- authentication will be denied
     51 	require-pwchange(18),		-- require a passwd change
     52 	do-not-store(31)		-- Not to be modified and stored in HDB
     53 }
     54 
     55 GENERATION ::= SEQUENCE {
     56 	time[0]		KerberosTime,			-- timestamp
     57 	usec[1]		INTEGER (0..4294967295),	-- microseconds
     58 	gen[2]		INTEGER (0..4294967295)		-- generation number
     59 }
     60 
     61 HDB-Ext-PKINIT-acl ::= SEQUENCE OF SEQUENCE {
     62 	subject[0]	UTF8String,
     63 	issuer[1]	UTF8String OPTIONAL,
     64 	anchor[2]	UTF8String OPTIONAL
     65 }
     66 
     67 HDB-Ext-PKINIT-hash ::= SEQUENCE OF SEQUENCE {
     68 	digest-type[0] OBJECT IDENTIFIER,
     69 	digest[1] OCTET STRING
     70 }
     71 
     72 HDB-Ext-PKINIT-cert ::= SEQUENCE OF SEQUENCE {
     73 	cert[0] OCTET STRING
     74 }
     75 
     76 HDB-Ext-Constrained-delegation-acl ::= SEQUENCE OF Principal
     77 
     78 -- hdb-ext-referrals ::= PA-SERVER-REFERRAL-DATA
     79 
     80 HDB-Ext-Lan-Manager-OWF ::= OCTET STRING
     81 
     82 HDB-Ext-Password ::= SEQUENCE {
     83 	mkvno[0]	INTEGER (0..4294967295) OPTIONAL, -- master key version number
     84 	password	OCTET STRING
     85 }
     86 
     87 HDB-Ext-Aliases ::= SEQUENCE {
     88 	case-insensitive[0]	BOOLEAN, -- case insensitive name allowed
     89 	aliases[1]		SEQUENCE OF Principal -- all names, inc primary
     90 }
     91 
     92 Keys ::= SEQUENCE OF Key
     93 
     94 hdb_keyset ::= SEQUENCE {
     95 	kvno[0]		INTEGER (0..4294967295),
     96 	keys[1]		Keys,
     97 	set-time[2]	KerberosTime OPTIONAL,	-- time this keyset was created/set
     98 	...
     99 }
    100 
    101 HDB-Ext-KeySet ::= SEQUENCE OF hdb_keyset
    102 
    103 
    104 HDB-extension ::= SEQUENCE {
    105         mandatory[0]    BOOLEAN,        -- kdc MUST understand this extension,
    106                                         --   if not the whole entry must
    107                                         --   be rejected
    108         data[1]          CHOICE {
    109 	        pkinit-acl[0]			HDB-Ext-PKINIT-acl,
    110 	        pkinit-cert-hash[1]  		HDB-Ext-PKINIT-hash,
    111 		allowed-to-delegate-to[2]   HDB-Ext-Constrained-delegation-acl,
    112 --		referral-info[3]		HDB-Ext-Referrals,
    113 		lm-owf[4]			HDB-Ext-Lan-Manager-OWF,
    114 		password[5]			HDB-Ext-Password,
    115 		aliases[6]			HDB-Ext-Aliases,
    116 		last-pw-change[7]		KerberosTime,
    117 	        pkinit-cert[8]  		HDB-Ext-PKINIT-cert,
    118 	        hist-keys[9]			HDB-Ext-KeySet,
    119 		hist-kvno-diff-clnt[10]		INTEGER (0..4294967295),
    120 		hist-kvno-diff-svc[11]		INTEGER (0..4294967295),
    121 	        policy[12]			UTF8String,
    122 		principal-id[13]		INTEGER(-9223372036854775808..9223372036854775807),
    123 		...
    124 	},
    125 	...
    126 }
    127 
    128 HDB-extensions ::= SEQUENCE OF HDB-extension
    129 
    130 hdb_entry ::= SEQUENCE {
    131 	principal[0]	Principal  OPTIONAL, -- this is optional only 
    132 					     -- for compatibility with libkrb5
    133 	kvno[1]		INTEGER (0..4294967295),
    134 	keys[2]		Keys,
    135 	created-by[3]	Event,
    136 	modified-by[4]	Event OPTIONAL,
    137 	valid-start[5]	KerberosTime OPTIONAL,
    138 	valid-end[6]	KerberosTime OPTIONAL,
    139 	pw-end[7]	KerberosTime OPTIONAL,
    140 	max-life[8]	INTEGER (0..4294967295) OPTIONAL,
    141 	max-renew[9]	INTEGER (0..4294967295) OPTIONAL,
    142 	flags[10]	HDBFlags,
    143 	etypes[11]	SEQUENCE OF INTEGER (0..4294967295) OPTIONAL,
    144 	generation[12]	GENERATION OPTIONAL,
    145         extensions[13]  HDB-extensions OPTIONAL
    146 }
    147 
    148 hdb_entry_alias ::= [APPLICATION 0] SEQUENCE {
    149 	principal[0]	Principal  OPTIONAL
    150 }
    151 
    152 END
    153