1*ae771770SStanislav Sedov-- $Id$ 2b528cefcSMark MurrayHDB DEFINITIONS ::= 3b528cefcSMark MurrayBEGIN 4b528cefcSMark Murray 55e9cd1aeSAssar WesterlundIMPORTS EncryptionKey, KerberosTime, Principal FROM krb5; 6b528cefcSMark Murray 7b528cefcSMark MurrayHDB_DB_FORMAT INTEGER ::= 2 -- format of database, 8b528cefcSMark Murray -- update when making changes 9b528cefcSMark Murray 104137ff4cSJacques Vidrine-- these must have the same value as the pa-* counterparts 11b528cefcSMark Murrayhdb-pw-salt INTEGER ::= 3 12b528cefcSMark Murrayhdb-afs3-salt INTEGER ::= 10 13b528cefcSMark Murray 14b528cefcSMark MurraySalt ::= SEQUENCE { 15c19800e8SDoug Rabson type[0] INTEGER (0..4294967295), 16*ae771770SStanislav Sedov salt[1] OCTET STRING, 17*ae771770SStanislav Sedov opaque[2] OCTET STRING OPTIONAL 18b528cefcSMark Murray} 19b528cefcSMark Murray 20b528cefcSMark MurrayKey ::= SEQUENCE { 21c19800e8SDoug Rabson mkvno[0] INTEGER (0..4294967295) OPTIONAL, -- master key version number 22b528cefcSMark Murray key[1] EncryptionKey, 23b528cefcSMark Murray salt[2] Salt OPTIONAL 24b528cefcSMark Murray} 25b528cefcSMark Murray 26b528cefcSMark MurrayEvent ::= SEQUENCE { 27b528cefcSMark Murray time[0] KerberosTime, 28b528cefcSMark Murray principal[1] Principal OPTIONAL 29b528cefcSMark Murray} 30b528cefcSMark Murray 31b528cefcSMark MurrayHDBFlags ::= BIT STRING { 32b528cefcSMark Murray initial(0), -- require as-req 33b528cefcSMark Murray forwardable(1), -- may issue forwardable 34b528cefcSMark Murray proxiable(2), -- may issue proxiable 35b528cefcSMark Murray renewable(3), -- may issue renewable 36b528cefcSMark Murray postdate(4), -- may issue postdatable 37b528cefcSMark Murray server(5), -- may be server 38b528cefcSMark Murray client(6), -- may be client 39b528cefcSMark Murray invalid(7), -- entry is invalid 40b528cefcSMark Murray require-preauth(8), -- must use preauth 41b528cefcSMark Murray change-pw(9), -- change password service 42b528cefcSMark Murray require-hwauth(10), -- must use hwauth 43b528cefcSMark Murray ok-as-delegate(11), -- as in TicketFlags 44b528cefcSMark Murray user-to-user(12), -- may use user-to-user auth 45c19800e8SDoug Rabson immutable(13), -- may not be deleted 46c19800e8SDoug Rabson trusted-for-delegation(14), -- Trusted to print forwardabled tickets 47c19800e8SDoug Rabson allow-kerberos4(15), -- Allow Kerberos 4 requests 48*ae771770SStanislav Sedov allow-digest(16), -- Allow digest requests 49*ae771770SStanislav Sedov locked-out(17) -- Account is locked out, 50*ae771770SStanislav Sedov -- authentication will be denied 51b528cefcSMark Murray} 52b528cefcSMark Murray 534137ff4cSJacques VidrineGENERATION ::= SEQUENCE { 544137ff4cSJacques Vidrine time[0] KerberosTime, -- timestamp 55c19800e8SDoug Rabson usec[1] INTEGER (0..4294967295), -- microseconds 56c19800e8SDoug Rabson gen[2] INTEGER (0..4294967295) -- generation number 574137ff4cSJacques Vidrine} 584137ff4cSJacques Vidrine 59c19800e8SDoug RabsonHDB-Ext-PKINIT-acl ::= SEQUENCE OF SEQUENCE { 60c19800e8SDoug Rabson subject[0] UTF8String, 61c19800e8SDoug Rabson issuer[1] UTF8String OPTIONAL, 62c19800e8SDoug Rabson anchor[2] UTF8String OPTIONAL 63c19800e8SDoug Rabson} 64c19800e8SDoug Rabson 65c19800e8SDoug RabsonHDB-Ext-PKINIT-hash ::= SEQUENCE OF SEQUENCE { 66c19800e8SDoug Rabson digest-type[0] OBJECT IDENTIFIER, 67c19800e8SDoug Rabson digest[1] OCTET STRING 68c19800e8SDoug Rabson} 69c19800e8SDoug Rabson 70*ae771770SStanislav SedovHDB-Ext-PKINIT-cert ::= SEQUENCE OF SEQUENCE { 71*ae771770SStanislav Sedov cert[0] OCTET STRING 72*ae771770SStanislav Sedov} 73*ae771770SStanislav Sedov 74c19800e8SDoug RabsonHDB-Ext-Constrained-delegation-acl ::= SEQUENCE OF Principal 75c19800e8SDoug Rabson 76c19800e8SDoug Rabson-- hdb-ext-referrals ::= PA-SERVER-REFERRAL-DATA 77c19800e8SDoug Rabson 78c19800e8SDoug RabsonHDB-Ext-Lan-Manager-OWF ::= OCTET STRING 79c19800e8SDoug Rabson 80c19800e8SDoug RabsonHDB-Ext-Password ::= SEQUENCE { 81c19800e8SDoug Rabson mkvno[0] INTEGER (0..4294967295) OPTIONAL, -- master key version number 82c19800e8SDoug Rabson password OCTET STRING 83c19800e8SDoug Rabson} 84c19800e8SDoug Rabson 85c19800e8SDoug RabsonHDB-Ext-Aliases ::= SEQUENCE { 86c19800e8SDoug Rabson case-insensitive[0] BOOLEAN, -- case insensitive name allowed 87c19800e8SDoug Rabson aliases[1] SEQUENCE OF Principal -- all names, inc primary 88c19800e8SDoug Rabson} 89c19800e8SDoug Rabson 90c19800e8SDoug Rabson 91c19800e8SDoug RabsonHDB-extension ::= SEQUENCE { 92c19800e8SDoug Rabson mandatory[0] BOOLEAN, -- kdc MUST understand this extension, 93c19800e8SDoug Rabson -- if not the whole entry must 94c19800e8SDoug Rabson -- be rejected 95c19800e8SDoug Rabson data[1] CHOICE { 96c19800e8SDoug Rabson pkinit-acl[0] HDB-Ext-PKINIT-acl, 97c19800e8SDoug Rabson pkinit-cert-hash[1] HDB-Ext-PKINIT-hash, 98c19800e8SDoug Rabson allowed-to-delegate-to[2] HDB-Ext-Constrained-delegation-acl, 99c19800e8SDoug Rabson-- referral-info[3] HDB-Ext-Referrals, 100c19800e8SDoug Rabson lm-owf[4] HDB-Ext-Lan-Manager-OWF, 101c19800e8SDoug Rabson password[5] HDB-Ext-Password, 102c19800e8SDoug Rabson aliases[6] HDB-Ext-Aliases, 103c19800e8SDoug Rabson last-pw-change[7] KerberosTime, 104*ae771770SStanislav Sedov pkinit-cert[8] HDB-Ext-PKINIT-cert, 105c19800e8SDoug Rabson ... 106c19800e8SDoug Rabson }, 107c19800e8SDoug Rabson ... 108c19800e8SDoug Rabson} 109c19800e8SDoug Rabson 110c19800e8SDoug RabsonHDB-extensions ::= SEQUENCE OF HDB-extension 111c19800e8SDoug Rabson 112*ae771770SStanislav Sedovhdb_keyset ::= SEQUENCE { 113*ae771770SStanislav Sedov kvno[1] INTEGER (0..4294967295), 114*ae771770SStanislav Sedov keys[0] SEQUENCE OF Key 115*ae771770SStanislav Sedov} 116c19800e8SDoug Rabson 117b528cefcSMark Murrayhdb_entry ::= SEQUENCE { 118b528cefcSMark Murray principal[0] Principal OPTIONAL, -- this is optional only 119b528cefcSMark Murray -- for compatibility with libkrb5 120c19800e8SDoug Rabson kvno[1] INTEGER (0..4294967295), 121b528cefcSMark Murray keys[2] SEQUENCE OF Key, 122b528cefcSMark Murray created-by[3] Event, 123b528cefcSMark Murray modified-by[4] Event OPTIONAL, 124b528cefcSMark Murray valid-start[5] KerberosTime OPTIONAL, 125b528cefcSMark Murray valid-end[6] KerberosTime OPTIONAL, 126b528cefcSMark Murray pw-end[7] KerberosTime OPTIONAL, 127c19800e8SDoug Rabson max-life[8] INTEGER (0..4294967295) OPTIONAL, 128c19800e8SDoug Rabson max-renew[9] INTEGER (0..4294967295) OPTIONAL, 129b528cefcSMark Murray flags[10] HDBFlags, 130c19800e8SDoug Rabson etypes[11] SEQUENCE OF INTEGER (0..4294967295) OPTIONAL, 131c19800e8SDoug Rabson generation[12] GENERATION OPTIONAL, 132c19800e8SDoug Rabson extensions[13] HDB-extensions OPTIONAL 133c19800e8SDoug Rabson} 134c19800e8SDoug Rabson 135c19800e8SDoug Rabsonhdb_entry_alias ::= [APPLICATION 0] SEQUENCE { 136c19800e8SDoug Rabson principal[0] Principal OPTIONAL 137b528cefcSMark Murray} 138b528cefcSMark Murray 139b528cefcSMark MurrayEND 140