1-- $Id$ 2HDB DEFINITIONS ::= 3BEGIN 4 5IMPORTS EncryptionKey, KerberosTime, Principal FROM krb5; 6 7HDB_DB_FORMAT INTEGER ::= 2 -- format of database, 8 -- update when making changes 9 10-- these must have the same value as the pa-* counterparts 11hdb-pw-salt INTEGER ::= 3 12hdb-afs3-salt INTEGER ::= 10 13 14Salt ::= SEQUENCE { 15 type[0] INTEGER (0..4294967295), 16 salt[1] OCTET STRING, 17 opaque[2] OCTET STRING OPTIONAL 18} 19 20Key ::= SEQUENCE { 21 mkvno[0] INTEGER (0..4294967295) OPTIONAL, -- master key version number 22 key[1] EncryptionKey, 23 salt[2] Salt OPTIONAL 24} 25 26Event ::= SEQUENCE { 27 time[0] KerberosTime, 28 principal[1] Principal OPTIONAL 29} 30 31HDBFlags ::= BIT STRING { 32 initial(0), -- require as-req 33 forwardable(1), -- may issue forwardable 34 proxiable(2), -- may issue proxiable 35 renewable(3), -- may issue renewable 36 postdate(4), -- may issue postdatable 37 server(5), -- may be server 38 client(6), -- may be client 39 invalid(7), -- entry is invalid 40 require-preauth(8), -- must use preauth 41 change-pw(9), -- change password service 42 require-hwauth(10), -- must use hwauth 43 ok-as-delegate(11), -- as in TicketFlags 44 user-to-user(12), -- may use user-to-user auth 45 immutable(13), -- may not be deleted 46 trusted-for-delegation(14), -- Trusted to print forwardabled tickets 47 allow-kerberos4(15), -- Allow Kerberos 4 requests 48 allow-digest(16), -- Allow digest requests 49 locked-out(17) -- Account is locked out, 50 -- authentication will be denied 51} 52 53GENERATION ::= SEQUENCE { 54 time[0] KerberosTime, -- timestamp 55 usec[1] INTEGER (0..4294967295), -- microseconds 56 gen[2] INTEGER (0..4294967295) -- generation number 57} 58 59HDB-Ext-PKINIT-acl ::= SEQUENCE OF SEQUENCE { 60 subject[0] UTF8String, 61 issuer[1] UTF8String OPTIONAL, 62 anchor[2] UTF8String OPTIONAL 63} 64 65HDB-Ext-PKINIT-hash ::= SEQUENCE OF SEQUENCE { 66 digest-type[0] OBJECT IDENTIFIER, 67 digest[1] OCTET STRING 68} 69 70HDB-Ext-PKINIT-cert ::= SEQUENCE OF SEQUENCE { 71 cert[0] OCTET STRING 72} 73 74HDB-Ext-Constrained-delegation-acl ::= SEQUENCE OF Principal 75 76-- hdb-ext-referrals ::= PA-SERVER-REFERRAL-DATA 77 78HDB-Ext-Lan-Manager-OWF ::= OCTET STRING 79 80HDB-Ext-Password ::= SEQUENCE { 81 mkvno[0] INTEGER (0..4294967295) OPTIONAL, -- master key version number 82 password OCTET STRING 83} 84 85HDB-Ext-Aliases ::= SEQUENCE { 86 case-insensitive[0] BOOLEAN, -- case insensitive name allowed 87 aliases[1] SEQUENCE OF Principal -- all names, inc primary 88} 89 90 91HDB-extension ::= SEQUENCE { 92 mandatory[0] BOOLEAN, -- kdc MUST understand this extension, 93 -- if not the whole entry must 94 -- be rejected 95 data[1] CHOICE { 96 pkinit-acl[0] HDB-Ext-PKINIT-acl, 97 pkinit-cert-hash[1] HDB-Ext-PKINIT-hash, 98 allowed-to-delegate-to[2] HDB-Ext-Constrained-delegation-acl, 99-- referral-info[3] HDB-Ext-Referrals, 100 lm-owf[4] HDB-Ext-Lan-Manager-OWF, 101 password[5] HDB-Ext-Password, 102 aliases[6] HDB-Ext-Aliases, 103 last-pw-change[7] KerberosTime, 104 pkinit-cert[8] HDB-Ext-PKINIT-cert, 105 ... 106 }, 107 ... 108} 109 110HDB-extensions ::= SEQUENCE OF HDB-extension 111 112hdb_keyset ::= SEQUENCE { 113 kvno[1] INTEGER (0..4294967295), 114 keys[0] SEQUENCE OF Key 115} 116 117hdb_entry ::= SEQUENCE { 118 principal[0] Principal OPTIONAL, -- this is optional only 119 -- for compatibility with libkrb5 120 kvno[1] INTEGER (0..4294967295), 121 keys[2] SEQUENCE OF Key, 122 created-by[3] Event, 123 modified-by[4] Event OPTIONAL, 124 valid-start[5] KerberosTime OPTIONAL, 125 valid-end[6] KerberosTime OPTIONAL, 126 pw-end[7] KerberosTime OPTIONAL, 127 max-life[8] INTEGER (0..4294967295) OPTIONAL, 128 max-renew[9] INTEGER (0..4294967295) OPTIONAL, 129 flags[10] HDBFlags, 130 etypes[11] SEQUENCE OF INTEGER (0..4294967295) OPTIONAL, 131 generation[12] GENERATION OPTIONAL, 132 extensions[13] HDB-extensions OPTIONAL 133} 134 135hdb_entry_alias ::= [APPLICATION 0] SEQUENCE { 136 principal[0] Principal OPTIONAL 137} 138 139END 140