1 1.1.1.2 elric -- Id 2 1.1 elric HDB DEFINITIONS ::= 3 1.1 elric BEGIN 4 1.1 elric 5 1.1 elric IMPORTS EncryptionKey, KerberosTime, Principal FROM krb5; 6 1.1 elric 7 1.1 elric HDB_DB_FORMAT INTEGER ::= 2 -- format of database, 8 1.1 elric -- update when making changes 9 1.1 elric 10 1.1 elric -- these must have the same value as the pa-* counterparts 11 1.1 elric hdb-pw-salt INTEGER ::= 3 12 1.1 elric hdb-afs3-salt INTEGER ::= 10 13 1.1 elric 14 1.1 elric Salt ::= SEQUENCE { 15 1.1 elric type[0] INTEGER (0..4294967295), 16 1.1 elric salt[1] OCTET STRING, 17 1.1 elric opaque[2] OCTET STRING OPTIONAL 18 1.1 elric } 19 1.1 elric 20 1.1 elric Key ::= SEQUENCE { 21 1.1 elric mkvno[0] INTEGER (0..4294967295) OPTIONAL, -- master key version number 22 1.1 elric key[1] EncryptionKey, 23 1.1 elric salt[2] Salt OPTIONAL 24 1.1 elric } 25 1.1 elric 26 1.1 elric Event ::= SEQUENCE { 27 1.1 elric time[0] KerberosTime, 28 1.1 elric principal[1] Principal OPTIONAL 29 1.1 elric } 30 1.1 elric 31 1.1 elric HDBFlags ::= BIT STRING { 32 1.1 elric initial(0), -- require as-req 33 1.1 elric forwardable(1), -- may issue forwardable 34 1.1 elric proxiable(2), -- may issue proxiable 35 1.1 elric renewable(3), -- may issue renewable 36 1.1 elric postdate(4), -- may issue postdatable 37 1.1 elric server(5), -- may be server 38 1.1 elric client(6), -- may be client 39 1.1 elric invalid(7), -- entry is invalid 40 1.1 elric require-preauth(8), -- must use preauth 41 1.1 elric change-pw(9), -- change password service 42 1.1 elric require-hwauth(10), -- must use hwauth 43 1.1 elric ok-as-delegate(11), -- as in TicketFlags 44 1.1 elric user-to-user(12), -- may use user-to-user auth 45 1.1 elric immutable(13), -- may not be deleted 46 1.1 elric trusted-for-delegation(14), -- Trusted to print forwardabled tickets 47 1.1 elric allow-kerberos4(15), -- Allow Kerberos 4 requests 48 1.1 elric allow-digest(16), -- Allow digest requests 49 1.1.1.3 christos locked-out(17), -- Account is locked out, 50 1.1 elric -- authentication will be denied 51 1.1.1.3 christos require-pwchange(18), -- require a passwd change 52 1.1.1.3 christos do-not-store(31) -- Not to be modified and stored in HDB 53 1.1 elric } 54 1.1 elric 55 1.1 elric GENERATION ::= SEQUENCE { 56 1.1 elric time[0] KerberosTime, -- timestamp 57 1.1 elric usec[1] INTEGER (0..4294967295), -- microseconds 58 1.1 elric gen[2] INTEGER (0..4294967295) -- generation number 59 1.1 elric } 60 1.1 elric 61 1.1 elric HDB-Ext-PKINIT-acl ::= SEQUENCE OF SEQUENCE { 62 1.1 elric subject[0] UTF8String, 63 1.1 elric issuer[1] UTF8String OPTIONAL, 64 1.1 elric anchor[2] UTF8String OPTIONAL 65 1.1 elric } 66 1.1 elric 67 1.1 elric HDB-Ext-PKINIT-hash ::= SEQUENCE OF SEQUENCE { 68 1.1 elric digest-type[0] OBJECT IDENTIFIER, 69 1.1 elric digest[1] OCTET STRING 70 1.1 elric } 71 1.1 elric 72 1.1 elric HDB-Ext-PKINIT-cert ::= SEQUENCE OF SEQUENCE { 73 1.1 elric cert[0] OCTET STRING 74 1.1 elric } 75 1.1 elric 76 1.1 elric HDB-Ext-Constrained-delegation-acl ::= SEQUENCE OF Principal 77 1.1 elric 78 1.1 elric -- hdb-ext-referrals ::= PA-SERVER-REFERRAL-DATA 79 1.1 elric 80 1.1 elric HDB-Ext-Lan-Manager-OWF ::= OCTET STRING 81 1.1 elric 82 1.1 elric HDB-Ext-Password ::= SEQUENCE { 83 1.1 elric mkvno[0] INTEGER (0..4294967295) OPTIONAL, -- master key version number 84 1.1 elric password OCTET STRING 85 1.1 elric } 86 1.1 elric 87 1.1 elric HDB-Ext-Aliases ::= SEQUENCE { 88 1.1 elric case-insensitive[0] BOOLEAN, -- case insensitive name allowed 89 1.1 elric aliases[1] SEQUENCE OF Principal -- all names, inc primary 90 1.1 elric } 91 1.1 elric 92 1.1.1.3 christos Keys ::= SEQUENCE OF Key 93 1.1.1.3 christos 94 1.1.1.3 christos hdb_keyset ::= SEQUENCE { 95 1.1.1.3 christos kvno[0] INTEGER (0..4294967295), 96 1.1.1.3 christos keys[1] Keys, 97 1.1.1.3 christos set-time[2] KerberosTime OPTIONAL, -- time this keyset was created/set 98 1.1.1.3 christos ... 99 1.1.1.3 christos } 100 1.1.1.3 christos 101 1.1.1.3 christos HDB-Ext-KeySet ::= SEQUENCE OF hdb_keyset 102 1.1.1.3 christos 103 1.1 elric 104 1.1 elric HDB-extension ::= SEQUENCE { 105 1.1 elric mandatory[0] BOOLEAN, -- kdc MUST understand this extension, 106 1.1 elric -- if not the whole entry must 107 1.1 elric -- be rejected 108 1.1 elric data[1] CHOICE { 109 1.1 elric pkinit-acl[0] HDB-Ext-PKINIT-acl, 110 1.1 elric pkinit-cert-hash[1] HDB-Ext-PKINIT-hash, 111 1.1 elric allowed-to-delegate-to[2] HDB-Ext-Constrained-delegation-acl, 112 1.1 elric -- referral-info[3] HDB-Ext-Referrals, 113 1.1 elric lm-owf[4] HDB-Ext-Lan-Manager-OWF, 114 1.1 elric password[5] HDB-Ext-Password, 115 1.1 elric aliases[6] HDB-Ext-Aliases, 116 1.1 elric last-pw-change[7] KerberosTime, 117 1.1 elric pkinit-cert[8] HDB-Ext-PKINIT-cert, 118 1.1.1.3 christos hist-keys[9] HDB-Ext-KeySet, 119 1.1.1.3 christos hist-kvno-diff-clnt[10] INTEGER (0..4294967295), 120 1.1.1.3 christos hist-kvno-diff-svc[11] INTEGER (0..4294967295), 121 1.1.1.3 christos policy[12] UTF8String, 122 1.1.1.3 christos principal-id[13] INTEGER(-9223372036854775808..9223372036854775807), 123 1.1 elric ... 124 1.1 elric }, 125 1.1 elric ... 126 1.1 elric } 127 1.1 elric 128 1.1 elric HDB-extensions ::= SEQUENCE OF HDB-extension 129 1.1 elric 130 1.1 elric hdb_entry ::= SEQUENCE { 131 1.1 elric principal[0] Principal OPTIONAL, -- this is optional only 132 1.1 elric -- for compatibility with libkrb5 133 1.1 elric kvno[1] INTEGER (0..4294967295), 134 1.1.1.3 christos keys[2] Keys, 135 1.1 elric created-by[3] Event, 136 1.1 elric modified-by[4] Event OPTIONAL, 137 1.1 elric valid-start[5] KerberosTime OPTIONAL, 138 1.1 elric valid-end[6] KerberosTime OPTIONAL, 139 1.1 elric pw-end[7] KerberosTime OPTIONAL, 140 1.1 elric max-life[8] INTEGER (0..4294967295) OPTIONAL, 141 1.1 elric max-renew[9] INTEGER (0..4294967295) OPTIONAL, 142 1.1 elric flags[10] HDBFlags, 143 1.1 elric etypes[11] SEQUENCE OF INTEGER (0..4294967295) OPTIONAL, 144 1.1 elric generation[12] GENERATION OPTIONAL, 145 1.1 elric extensions[13] HDB-extensions OPTIONAL 146 1.1 elric } 147 1.1 elric 148 1.1 elric hdb_entry_alias ::= [APPLICATION 0] SEQUENCE { 149 1.1 elric principal[0] Principal OPTIONAL 150 1.1 elric } 151 1.1 elric 152 1.1 elric END 153