1-- $Id$ 2HDB DEFINITIONS ::= 3BEGIN 4 5IMPORTS EncryptionKey, KerberosTime, Principal FROM krb5; 6 7HDB_DB_FORMAT INTEGER ::= 2 -- format of database, 8 -- update when making changes 9 10-- these must have the same value as the pa-* counterparts 11hdb-pw-salt INTEGER ::= 3 12hdb-afs3-salt INTEGER ::= 10 13 14Salt ::= SEQUENCE { 15 type[0] INTEGER (0..4294967295), 16 salt[1] OCTET STRING, 17 opaque[2] OCTET STRING OPTIONAL 18} 19 20Key ::= SEQUENCE { 21 mkvno[0] INTEGER (-2147483648..2147483647) OPTIONAL, -- master key version number 22 key[1] EncryptionKey, 23 salt[2] Salt OPTIONAL 24} 25 26Event ::= SEQUENCE { 27 time[0] KerberosTime, 28 principal[1] Principal OPTIONAL 29} 30 31HDBFlags ::= BIT STRING { 32 initial(0), -- require as-req 33 forwardable(1), -- may issue forwardable 34 proxiable(2), -- may issue proxiable 35 renewable(3), -- may issue renewable 36 postdate(4), -- may issue postdatable 37 server(5), -- may be server 38 client(6), -- may be client 39 invalid(7), -- entry is invalid 40 require-preauth(8), -- must use preauth 41 change-pw(9), -- change password service 42 require-hwauth(10), -- must use hwauth 43 ok-as-delegate(11), -- as in TicketFlags 44 user-to-user(12), -- may use user-to-user auth 45 immutable(13), -- may not be deleted 46 trusted-for-delegation(14), -- Trusted to print forwardabled tickets 47 allow-kerberos4(15), -- Allow Kerberos 4 requests 48 allow-digest(16), -- Allow digest requests 49 locked-out(17), -- Account is locked out, 50 -- authentication will be denied 51 do-not-store(31) -- Not to be modified and stored in HDB 52} 53 54GENERATION ::= SEQUENCE { 55 time[0] KerberosTime, -- timestamp 56 usec[1] INTEGER (0..4294967295), -- microseconds 57 gen[2] INTEGER (0..4294967295) -- generation number 58} 59 60HDB-Ext-PKINIT-acl ::= SEQUENCE OF SEQUENCE { 61 subject[0] UTF8String, 62 issuer[1] UTF8String OPTIONAL, 63 anchor[2] UTF8String OPTIONAL 64} 65 66HDB-Ext-PKINIT-hash ::= SEQUENCE OF SEQUENCE { 67 digest-type[0] OBJECT IDENTIFIER, 68 digest[1] OCTET STRING 69} 70 71HDB-Ext-PKINIT-cert ::= SEQUENCE OF SEQUENCE { 72 cert[0] OCTET STRING 73} 74 75HDB-Ext-Constrained-delegation-acl ::= SEQUENCE OF Principal 76 77-- hdb-ext-referrals ::= PA-SERVER-REFERRAL-DATA 78 79HDB-Ext-Lan-Manager-OWF ::= OCTET STRING 80 81HDB-Ext-Password ::= SEQUENCE { 82 mkvno[0] INTEGER (-2147483648..2147483647) OPTIONAL, -- master key version number 83 password OCTET STRING 84} 85 86HDB-Ext-Aliases ::= SEQUENCE { 87 case-insensitive[0] BOOLEAN, -- case insensitive name allowed 88 aliases[1] SEQUENCE OF Principal -- all names, inc primary 89} 90 91Keys ::= SEQUENCE OF Key 92 93-- notice the intresting order of the tags 94hdb_keyset_aapl ::= SEQUENCE { 95 kvno[1] INTEGER (-2147483648..2147483647), 96 keys[0] Keys, 97 principal[2] Principal OPTIONAL 98} 99 100hdb_keyset ::= SEQUENCE { 101 kvno[0] INTEGER (-2147483648..2147483647), 102 keys[1] Keys, 103 set-time[2] KerberosTime OPTIONAL, -- time this keyset was created/set 104 principal[3] Principal OPTIONAL, 105 ... 106} 107 108HDB-Ext-KeySet ::= SEQUENCE OF hdb_keyset 109 110 111HDB-extension ::= SEQUENCE { 112 mandatory[0] BOOLEAN, -- kdc MUST understand this extension, 113 -- if not the whole entry must 114 -- be rejected 115 data[1] CHOICE { 116 pkinit-acl[0] HDB-Ext-PKINIT-acl, 117 pkinit-cert-hash[1] HDB-Ext-PKINIT-hash, 118 allowed-to-delegate-to[2] HDB-Ext-Constrained-delegation-acl, 119-- referral-info[3] HDB-Ext-Referrals, 120 lm-owf[4] HDB-Ext-Lan-Manager-OWF, 121 password[5] HDB-Ext-Password, 122 aliases[6] HDB-Ext-Aliases, 123 last-pw-change[7] KerberosTime, 124 pkinit-cert[8] HDB-Ext-PKINIT-cert, 125 hist-keys[9] HDB-Ext-KeySet, 126 hist-kvno-diff-clnt[10] INTEGER (-2147483648..2147483647), 127 hist-kvno-diff-svc[11] INTEGER (-2147483648..2147483647), 128 policy[12] UTF8String, 129 ... 130 }, 131 ... 132} 133 134HDB-extensions ::= SEQUENCE OF HDB-extension 135 136hdb_entry ::= SEQUENCE { 137 principal[0] Principal OPTIONAL, -- this is optional only 138 -- for compatibility with libkrb5 139 kvno[1] INTEGER (-2147483648..2147483647), 140 keys[2] Keys, 141 created-by[3] Event, 142 modified-by[4] Event OPTIONAL, 143 valid-start[5] KerberosTime OPTIONAL, 144 valid-end[6] KerberosTime OPTIONAL, 145 pw-end[7] KerberosTime OPTIONAL, 146 max-life[8] INTEGER (0..4294967295) OPTIONAL, 147 max-renew[9] INTEGER (0..4294967295) OPTIONAL, 148 flags[10] HDBFlags, 149 etypes[11] SEQUENCE OF INTEGER (0..4294967295) OPTIONAL, 150 generation[12] GENERATION OPTIONAL, 151 extensions[13] HDB-extensions OPTIONAL, 152 acl-rights[13] INTEGER (0..4294967295) OPTIONAL 153} 154 155hdb_entry_alias ::= [APPLICATION 0] SEQUENCE { 156 principal[0] Principal OPTIONAL 157} 158 159END 160