Versions Compared

Old Version 5

changes.mady.by.user Christine Koppelt

Saved on

compared with

New Version 6

changes.mady.by.user Christine Koppelt

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Original Kerberos password changing service
  • Initial password setting service (RFC 3244)
  • Optional LDAP management
  • UDP and TCP Support (MINA)
  • Traffic throttling (MINA)
  • Overload shielding (MINA)
  • Easy POJO embeddability for containers such as Geronimo, JBoss, and OSGi

Configuration

...

Change Password Property

...

Default Value

...

Description

...

changepw.principal

...

kadmin/changepw@EXAMPLE.COM

...

Principal for this Change Password server

...

changepw.primary.realm

...

EXAMPLE.COM

...

Primary realm this Change Password service serves

...

changepw.port

...

464

...

The port for the Change Password protocol to use

...

changepw.entry.basedn

...

ou=Users,dc=example,dc=com

...

Base DN for looking up users

...

changepw.encryption.types

...

des-cbc-md5

...

Allowed Kerberos Cipher Text type(s)

...

changepw.empty.addresses.allowed

...

true

...

Whether tickets issued with empty Host Addresses are allowed

...

changepw.allowable.clockskew

...

5 minutes

...

Allowable clockskew for all Change Password transactions

...

changepw.password.length

...

6 characters

...

Minimum password length

...

changepw.category.count

...

3 (out of 4)

...

Number of character categories required (A - Z), (a - z), (0 - 9), non-alphanumeric (!, $, #, %, ... )

...

changepw.token.size

...

3 characters

...

Password must not contain tokens larger than 3 characters that occur in the user's principal name.

...

changepw.buffer.size

...

1024

...

Buffer size for MINA ByteBuffers

...

java.naming.ldap.attributes.binary

...

krb5Key

...

Changing Passwords with Windows 2003

...

Code Block
C:> Ksetup /domain /changepassword <old-password> <new-password>

Implementation Notes

  • RFC 3244 Microsoft Windows 2000 Kerberos Password Change Protocol.
  • UDP frontend on port 464 (KPASSWD).
  • Default principal kadmin/changepw@REALM.tld.
  • AP-REQ, KRB-PRIV, and PRIV-BODY.
  • Request-Response protocol - 1 request, 1 response
  • AP-REQ requires Authenticator with PRNG subsession key.
  • usec and sequence present and same value as seq-number from Authenticator.
  • New ASN.1 structure, ChangePasswdData SEQUENCE.
  • ChangepwService, needs access to PrincipalStore
  • Interceptor for policy checks.
  • Eventually need configurable auto-generation of keytypes.
  • 9 Error types, with UTF-8 optional/omitted result string.

Roadmap

Change Password 0.5 (chain update)

  • split KdcConfig into KdcConfig and ChangepwConfig
  • formatting updates
  • refactor changepw-protocol to chain
  • documentation of the steps in the chain
  • documentation of configuration
  • update MINA to 0.7.3

Change Password 0.5.1 (refactoring)

  • refactor common code to protocol-common
  • update MINA to 0.8

Change Password 0.6 (first stable release)

  • first release as part of ApacheDS 0.9.3

Change Password 0.7 (unstable feature release)

...