phpLDAPadmin
phpLDAPadmin copied to clipboard
leenooks
Kerberos Attribute parsing
i have my Kerberos data in my DIT, and would like to be able see/set the attributes on an object in a more user friendly way. when i set an attribute in kdamin, the krbTicketFlags are updated. below, each attribute is listed, with the numerical value reflected by the krbTicketFlags field when set. the value only shows up when the non-default value is set. the numerical value set is listed next to the non-default value.
for example, with no attributes set, adding the "allow_postdated" attribute (modprinc +allow_postdated
with no attributes set, removing the "allow_postdated" attribute (modprinc -allow_postdated
is it possible to have phpLDAPadmin display the attributes set on a Kerberos object in a more user friendly way? the krbTicketFlags attribute type is a child of the krbTicketPolicyAux object class in the krb5-server-ldap schema.
modprinc +allow_postdated
modprinc +allow_forwardable
modprinc +allow_tgs_req
modprinc +allow_renewable
modprinc +allow_proxiable
modprinc +allow_dup_skey
modprinc +allow_tix
modprinc +requires_preauth
modprinc +requires_hwauth
modprinc +needchange
modprinc +allow_svr
modprinc +password_changing_service
modprinc +ok_as_delegate
modprinc +ok_to_auth_as_delegate
modprinc +no_auth_data_required
modprinc +lockdown_keys
notes that i found in the schema file...
The krbTicketFlags attribute holds information about the kerberos flags for a principal
The values (0x00000001 - 0x00800000) are reserved for standards and
values (0x01000000 - 0x80000000) can be used for proprietary extensions.
The flags and values as per RFC 4120 and MIT implementation are,
DISALLOW_POSTDATED 0x00000001
DISALLOW_FORWARDABLE 0x00000002
DISALLOW_TGT_BASED 0x00000004
DISALLOW_RENEWABLE 0x00000008
DISALLOW_PROXIABLE 0x00000010
DISALLOW_DUP_SKEY 0x00000020
DISALLOW_ALL_TIX 0x00000040
REQUIRES_PRE_AUTH 0x00000080
REQUIRES_HW_AUTH 0x00000100
REQUIRES_PWCHANGE 0x00000200
DISALLOW_SVR 0x00001000
PWCHANGE_SERVICE 0x00002000
If you can provide an LDIF with an example of what is stored in LDAP, and what you are hoping is displayed with PLA, I'll look at implementing this in v2.
the LDIF example:
krbextradata:: blahblahblah
krbextradata:: blahblah
krbextradata:: blah
krblastfailedauth: 20230214150806Z
krblastpwdchange: 20161127174314Z
krblastsuccessfulauth: 20230303125823Z
krbloginfailedcount: 0
krbmaxrenewableage: 604800
krbmaxticketlife: 86400
krbobjectreferences: uid=brendan,ou=domainUsers,ou=Users,dc=bpk2,dc=com
krbpasswordexpiration: 19700101000000Z
krbprincipalkey:: SooperSekretString
krbprincipalname: [email protected]
krbpwdpolicyreference: cn=AccountLockout,cn=BPK2.COM,dc=bpk2,dc=com
krbticketflags: 4224
objectclass: krbPrincipal
objectclass: krbPrincipalAux
objectclass: krbTicketPolicyAux
objectclass: top
kadmin output for "getprinc brendan":
Principal: [email protected]
Expiration date: [never]
Last password change: Sun Nov 27 12:43:14 EST 2016
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Jan 18 09:07:05 EST 2021 (root/[email protected])
Last successful authentication: Fri Mar 03 07:58:23 EST 2023
Last failed authentication: Tue Feb 14 10:08:06 EST 2023
Failed password attempts: 0
Number of keys: 1
Key: vno 11, aes256-cts-hmac-sha1-96
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH DISALLOW_SVR
Policy: AccountLockout
the value of krbTicketFlags, 4224, is the sum of 128 + 4096. those values match the attributes of REQUIRES_PRE_AUTH and DISALLOW_SVR. it would be nice if the attributes were listed, instead of the numerical value. further, if the attributes could be modified or selected, in order to edit the values and be able to administer the principal via phpLDAPAdmin. then i would not need to use kadmin from the command line for these settings.
sorry for the code blob. i thought the code tags would leave the formatting in place and display better.