1-- $Id$
2HDB DEFINITIONS ::=
3BEGIN
4
5IMPORTS EncryptionKey, KerberosTime, Principal FROM krb5;
6
7HDB_DB_FORMAT INTEGER ::= 2	-- format of database, 
8				-- update when making changes
9
10-- these must have the same value as the pa-* counterparts
11hdb-pw-salt	INTEGER	::= 3
12hdb-afs3-salt	INTEGER	::= 10
13
14Salt ::= SEQUENCE {
15	type[0]		INTEGER (0..4294967295),
16	salt[1]		OCTET STRING,
17	opaque[2]	OCTET STRING OPTIONAL
18}
19
20Key ::= SEQUENCE {
21	mkvno[0]	INTEGER (-2147483648..2147483647) OPTIONAL, -- master key version number
22	key[1]		EncryptionKey,
23	salt[2]		Salt OPTIONAL
24}
25
26Event ::= SEQUENCE {
27	time[0]		KerberosTime,
28	principal[1]	Principal OPTIONAL
29}
30
31HDBFlags ::= BIT STRING {
32	initial(0),			-- require as-req
33	forwardable(1),			-- may issue forwardable
34	proxiable(2),			-- may issue proxiable
35	renewable(3),			-- may issue renewable
36	postdate(4),			-- may issue postdatable
37	server(5),			-- may be server
38	client(6),			-- may be client
39	invalid(7),			-- entry is invalid
40	require-preauth(8),		-- must use preauth
41	change-pw(9),			-- change password service
42	require-hwauth(10),		-- must use hwauth
43	ok-as-delegate(11),		-- as in TicketFlags
44	user-to-user(12),		-- may use user-to-user auth
45	immutable(13),			-- may not be deleted
46	trusted-for-delegation(14),	-- Trusted to print forwardabled tickets
47	allow-kerberos4(15),		-- Allow Kerberos 4 requests
48	allow-digest(16),		-- Allow digest requests
49	locked-out(17),			-- Account is locked out,
50					-- authentication will be denied
51	do-not-store(31)		-- Not to be modified and stored in HDB
52}
53
54GENERATION ::= SEQUENCE {
55	time[0]		KerberosTime,			-- timestamp
56	usec[1]		INTEGER (0..4294967295),	-- microseconds
57	gen[2]		INTEGER (0..4294967295)		-- generation number
58}
59
60HDB-Ext-PKINIT-acl ::= SEQUENCE OF SEQUENCE {
61	subject[0]	UTF8String,
62	issuer[1]	UTF8String OPTIONAL,
63	anchor[2]	UTF8String OPTIONAL
64}
65
66HDB-Ext-PKINIT-hash ::= SEQUENCE OF SEQUENCE {
67	digest-type[0] OBJECT IDENTIFIER,
68	digest[1] OCTET STRING
69}
70
71HDB-Ext-PKINIT-cert ::= SEQUENCE OF SEQUENCE {
72	cert[0] OCTET STRING
73}
74
75HDB-Ext-Constrained-delegation-acl ::= SEQUENCE OF Principal
76
77-- hdb-ext-referrals ::= PA-SERVER-REFERRAL-DATA
78
79HDB-Ext-Lan-Manager-OWF ::= OCTET STRING
80
81HDB-Ext-Password ::= SEQUENCE {
82	mkvno[0]	INTEGER (-2147483648..2147483647) OPTIONAL, -- master key version number
83	password	OCTET STRING
84}
85
86HDB-Ext-Aliases ::= SEQUENCE {
87	case-insensitive[0]	BOOLEAN, -- case insensitive name allowed
88	aliases[1]		SEQUENCE OF Principal -- all names, inc primary
89}
90
91Keys ::= SEQUENCE OF Key
92
93-- notice the intresting order of the tags
94hdb_keyset_aapl ::= SEQUENCE {
95	kvno[1]		INTEGER (-2147483648..2147483647),
96	keys[0]		Keys,
97	principal[2]	Principal OPTIONAL
98}
99
100hdb_keyset ::= SEQUENCE {
101	kvno[0]		INTEGER (-2147483648..2147483647),
102	keys[1]		Keys,
103	set-time[2]	KerberosTime OPTIONAL,	-- time this keyset was created/set
104	principal[3]	Principal OPTIONAL,
105	...
106}
107
108HDB-Ext-KeySet ::= SEQUENCE OF hdb_keyset
109
110
111HDB-extension ::= SEQUENCE {
112        mandatory[0]    BOOLEAN,        -- kdc MUST understand this extension,
113                                        --   if not the whole entry must
114                                        --   be rejected
115        data[1]          CHOICE {
116	        pkinit-acl[0]			HDB-Ext-PKINIT-acl,
117	        pkinit-cert-hash[1]  		HDB-Ext-PKINIT-hash,
118		allowed-to-delegate-to[2]   HDB-Ext-Constrained-delegation-acl,
119--		referral-info[3]		HDB-Ext-Referrals,
120		lm-owf[4]			HDB-Ext-Lan-Manager-OWF,
121		password[5]			HDB-Ext-Password,
122		aliases[6]			HDB-Ext-Aliases,
123		last-pw-change[7]		KerberosTime,
124	        pkinit-cert[8]  		HDB-Ext-PKINIT-cert,
125	        hist-keys[9]			HDB-Ext-KeySet,
126		hist-kvno-diff-clnt[10]		INTEGER (-2147483648..2147483647),
127		hist-kvno-diff-svc[11]		INTEGER (-2147483648..2147483647),
128	        policy[12]			UTF8String,
129		...
130	},
131	...
132}
133
134HDB-extensions ::= SEQUENCE OF HDB-extension
135
136hdb_entry ::= SEQUENCE {
137	principal[0]	Principal  OPTIONAL, -- this is optional only 
138					     -- for compatibility with libkrb5
139	kvno[1]		INTEGER (-2147483648..2147483647),
140	keys[2]		Keys,
141	created-by[3]	Event,
142	modified-by[4]	Event OPTIONAL,
143	valid-start[5]	KerberosTime OPTIONAL,
144	valid-end[6]	KerberosTime OPTIONAL,
145	pw-end[7]	KerberosTime OPTIONAL,
146	max-life[8]	INTEGER (0..4294967295) OPTIONAL,
147	max-renew[9]	INTEGER (0..4294967295) OPTIONAL,
148	flags[10]	HDBFlags,
149	etypes[11]	SEQUENCE OF INTEGER (0..4294967295) OPTIONAL,
150	generation[12]	GENERATION OPTIONAL,
151        extensions[13]  HDB-extensions OPTIONAL,
152	acl-rights[13]	INTEGER (0..4294967295) OPTIONAL
153}
154
155hdb_entry_alias ::= [APPLICATION 0] SEQUENCE {
156	principal[0]	Principal  OPTIONAL
157}
158
159END
160