1233294Sstas-- $Id$ 255682SmarkmHDB DEFINITIONS ::= 355682SmarkmBEGIN 455682Smarkm 572445SassarIMPORTS EncryptionKey, KerberosTime, Principal FROM krb5; 655682Smarkm 755682SmarkmHDB_DB_FORMAT INTEGER ::= 2 -- format of database, 855682Smarkm -- update when making changes 955682Smarkm 1090926Snectar-- these must have the same value as the pa-* counterparts 1155682Smarkmhdb-pw-salt INTEGER ::= 3 1255682Smarkmhdb-afs3-salt INTEGER ::= 10 1355682Smarkm 1455682SmarkmSalt ::= SEQUENCE { 15178825Sdfr type[0] INTEGER (0..4294967295), 16233294Sstas salt[1] OCTET STRING, 17233294Sstas opaque[2] OCTET STRING OPTIONAL 1855682Smarkm} 1955682Smarkm 2055682SmarkmKey ::= SEQUENCE { 21178825Sdfr mkvno[0] INTEGER (0..4294967295) OPTIONAL, -- master key version number 2255682Smarkm key[1] EncryptionKey, 2355682Smarkm salt[2] Salt OPTIONAL 2455682Smarkm} 2555682Smarkm 2655682SmarkmEvent ::= SEQUENCE { 2755682Smarkm time[0] KerberosTime, 2855682Smarkm principal[1] Principal OPTIONAL 2955682Smarkm} 3055682Smarkm 3155682SmarkmHDBFlags ::= BIT STRING { 32178825Sdfr initial(0), -- require as-req 33178825Sdfr forwardable(1), -- may issue forwardable 34178825Sdfr proxiable(2), -- may issue proxiable 35178825Sdfr renewable(3), -- may issue renewable 36178825Sdfr postdate(4), -- may issue postdatable 37178825Sdfr server(5), -- may be server 38178825Sdfr client(6), -- may be client 39178825Sdfr invalid(7), -- entry is invalid 40178825Sdfr require-preauth(8), -- must use preauth 41178825Sdfr change-pw(9), -- change password service 42178825Sdfr require-hwauth(10), -- must use hwauth 43178825Sdfr ok-as-delegate(11), -- as in TicketFlags 44178825Sdfr user-to-user(12), -- may use user-to-user auth 45178825Sdfr immutable(13), -- may not be deleted 46178825Sdfr trusted-for-delegation(14), -- Trusted to print forwardabled tickets 47178825Sdfr allow-kerberos4(15), -- Allow Kerberos 4 requests 48233294Sstas allow-digest(16), -- Allow digest requests 49233294Sstas locked-out(17) -- Account is locked out, 50233294Sstas -- authentication will be denied 5155682Smarkm} 5255682Smarkm 5390926SnectarGENERATION ::= SEQUENCE { 54178825Sdfr time[0] KerberosTime, -- timestamp 55178825Sdfr usec[1] INTEGER (0..4294967295), -- microseconds 56178825Sdfr gen[2] INTEGER (0..4294967295) -- generation number 5790926Snectar} 5890926Snectar 59178825SdfrHDB-Ext-PKINIT-acl ::= SEQUENCE OF SEQUENCE { 60178825Sdfr subject[0] UTF8String, 61178825Sdfr issuer[1] UTF8String OPTIONAL, 62178825Sdfr anchor[2] UTF8String OPTIONAL 63178825Sdfr} 64178825Sdfr 65178825SdfrHDB-Ext-PKINIT-hash ::= SEQUENCE OF SEQUENCE { 66178825Sdfr digest-type[0] OBJECT IDENTIFIER, 67178825Sdfr digest[1] OCTET STRING 68178825Sdfr} 69178825Sdfr 70233294SstasHDB-Ext-PKINIT-cert ::= SEQUENCE OF SEQUENCE { 71233294Sstas cert[0] OCTET STRING 72233294Sstas} 73233294Sstas 74178825SdfrHDB-Ext-Constrained-delegation-acl ::= SEQUENCE OF Principal 75178825Sdfr 76178825Sdfr-- hdb-ext-referrals ::= PA-SERVER-REFERRAL-DATA 77178825Sdfr 78178825SdfrHDB-Ext-Lan-Manager-OWF ::= OCTET STRING 79178825Sdfr 80178825SdfrHDB-Ext-Password ::= SEQUENCE { 81178825Sdfr mkvno[0] INTEGER (0..4294967295) OPTIONAL, -- master key version number 82178825Sdfr password OCTET STRING 83178825Sdfr} 84178825Sdfr 85178825SdfrHDB-Ext-Aliases ::= SEQUENCE { 86178825Sdfr case-insensitive[0] BOOLEAN, -- case insensitive name allowed 87178825Sdfr aliases[1] SEQUENCE OF Principal -- all names, inc primary 88178825Sdfr} 89178825Sdfr 90178825Sdfr 91178825SdfrHDB-extension ::= SEQUENCE { 92178825Sdfr mandatory[0] BOOLEAN, -- kdc MUST understand this extension, 93178825Sdfr -- if not the whole entry must 94178825Sdfr -- be rejected 95178825Sdfr data[1] CHOICE { 96178825Sdfr pkinit-acl[0] HDB-Ext-PKINIT-acl, 97178825Sdfr pkinit-cert-hash[1] HDB-Ext-PKINIT-hash, 98178825Sdfr allowed-to-delegate-to[2] HDB-Ext-Constrained-delegation-acl, 99178825Sdfr-- referral-info[3] HDB-Ext-Referrals, 100178825Sdfr lm-owf[4] HDB-Ext-Lan-Manager-OWF, 101178825Sdfr password[5] HDB-Ext-Password, 102178825Sdfr aliases[6] HDB-Ext-Aliases, 103178825Sdfr last-pw-change[7] KerberosTime, 104233294Sstas pkinit-cert[8] HDB-Ext-PKINIT-cert, 105178825Sdfr ... 106178825Sdfr }, 107178825Sdfr ... 108178825Sdfr} 109178825Sdfr 110178825SdfrHDB-extensions ::= SEQUENCE OF HDB-extension 111178825Sdfr 112233294Sstashdb_keyset ::= SEQUENCE { 113233294Sstas kvno[1] INTEGER (0..4294967295), 114233294Sstas keys[0] SEQUENCE OF Key 115233294Sstas} 116178825Sdfr 11755682Smarkmhdb_entry ::= SEQUENCE { 11855682Smarkm principal[0] Principal OPTIONAL, -- this is optional only 11955682Smarkm -- for compatibility with libkrb5 120178825Sdfr kvno[1] INTEGER (0..4294967295), 12155682Smarkm keys[2] SEQUENCE OF Key, 12255682Smarkm created-by[3] Event, 12355682Smarkm modified-by[4] Event OPTIONAL, 12455682Smarkm valid-start[5] KerberosTime OPTIONAL, 12555682Smarkm valid-end[6] KerberosTime OPTIONAL, 12655682Smarkm pw-end[7] KerberosTime OPTIONAL, 127178825Sdfr max-life[8] INTEGER (0..4294967295) OPTIONAL, 128178825Sdfr max-renew[9] INTEGER (0..4294967295) OPTIONAL, 12955682Smarkm flags[10] HDBFlags, 130178825Sdfr etypes[11] SEQUENCE OF INTEGER (0..4294967295) OPTIONAL, 131178825Sdfr generation[12] GENERATION OPTIONAL, 132178825Sdfr extensions[13] HDB-extensions OPTIONAL 13355682Smarkm} 13455682Smarkm 135178825Sdfrhdb_entry_alias ::= [APPLICATION 0] SEQUENCE { 136178825Sdfr principal[0] Principal OPTIONAL 137178825Sdfr} 138178825Sdfr 13955682SmarkmEND 140