1-- Id
2HDB DEFINITIONS ::=
3BEGIN
4
5IMPORTS EncryptionKey, KerberosTime, Principal FROM krb5;
6
7HDB_DB_FORMAT INTEGER ::= 2   -- format of database,
8                                        -- update when making changes
9
10-- these must have the same value as the pa-* counterparts
11hdb-pw-salt         INTEGER   ::= 3
12hdb-afs3-salt       INTEGER   ::= 10
13
14Salt ::= SEQUENCE {
15          type[0]             INTEGER (0..4294967295),
16          salt[1]             OCTET STRING,
17          opaque[2] OCTET STRING OPTIONAL
18}
19
20Key ::= SEQUENCE {
21          mkvno[0]  INTEGER (0..4294967295) OPTIONAL, -- master key version number
22          key[1]              EncryptionKey,
23          salt[2]             Salt OPTIONAL
24}
25
26Event ::= SEQUENCE {
27          time[0]             KerberosTime,
28          principal[1]        Principal OPTIONAL
29}
30
31HDBFlags ::= BIT STRING {
32          initial(0),                             -- require as-req
33          forwardable(1),                         -- may issue forwardable
34          proxiable(2),                           -- may issue proxiable
35          renewable(3),                           -- may issue renewable
36          postdate(4),                            -- may issue postdatable
37          server(5),                              -- may be server
38          client(6),                              -- may be client
39          invalid(7),                             -- entry is invalid
40          require-preauth(8),           -- must use preauth
41          change-pw(9),                           -- change password service
42          require-hwauth(10),           -- must use hwauth
43          ok-as-delegate(11),           -- as in TicketFlags
44          user-to-user(12),             -- may use user-to-user auth
45          immutable(13),                          -- may not be deleted
46          trusted-for-delegation(14),   -- Trusted to print forwardabled tickets
47          allow-kerberos4(15),                    -- Allow Kerberos 4 requests
48          allow-digest(16),             -- Allow digest requests
49          locked-out(17),                         -- Account is locked out,
50                                                  -- authentication will be denied
51          require-pwchange(18),                   -- require a passwd change
52          do-not-store(31)              -- Not to be modified and stored in HDB
53}
54
55GENERATION ::= SEQUENCE {
56          time[0]             KerberosTime,                           -- timestamp
57          usec[1]             INTEGER (0..4294967295),      -- microseconds
58          gen[2]              INTEGER (0..4294967295)                 -- generation number
59}
60
61HDB-Ext-PKINIT-acl ::= SEQUENCE OF SEQUENCE {
62          subject[0]          UTF8String,
63          issuer[1] UTF8String OPTIONAL,
64          anchor[2] UTF8String OPTIONAL
65}
66
67HDB-Ext-PKINIT-hash ::= SEQUENCE OF SEQUENCE {
68          digest-type[0] OBJECT IDENTIFIER,
69          digest[1] OCTET STRING
70}
71
72HDB-Ext-PKINIT-cert ::= SEQUENCE OF SEQUENCE {
73          cert[0] OCTET STRING
74}
75
76HDB-Ext-Constrained-delegation-acl ::= SEQUENCE OF Principal
77
78-- hdb-ext-referrals ::= PA-SERVER-REFERRAL-DATA
79
80HDB-Ext-Lan-Manager-OWF ::= OCTET STRING
81
82HDB-Ext-Password ::= SEQUENCE {
83          mkvno[0]  INTEGER (0..4294967295) OPTIONAL, -- master key version number
84          password  OCTET STRING
85}
86
87HDB-Ext-Aliases ::= SEQUENCE {
88          case-insensitive[0] BOOLEAN, -- case insensitive name allowed
89          aliases[1]                    SEQUENCE OF Principal -- all names, inc primary
90}
91
92Keys ::= SEQUENCE OF Key
93
94hdb_keyset ::= SEQUENCE {
95          kvno[0]             INTEGER (0..4294967295),
96          keys[1]             Keys,
97          set-time[2]         KerberosTime OPTIONAL,        -- time this keyset was created/set
98          ...
99}
100
101HDB-Ext-KeySet ::= SEQUENCE OF hdb_keyset
102
103
104HDB-extension ::= SEQUENCE {
105        mandatory[0]    BOOLEAN,        -- kdc MUST understand this extension,
106                                        --   if not the whole entry must
107                                        --   be rejected
108        data[1]          CHOICE {
109                  pkinit-acl[0]                             HDB-Ext-PKINIT-acl,
110                  pkinit-cert-hash[1]             HDB-Ext-PKINIT-hash,
111                    allowed-to-delegate-to[2]   HDB-Ext-Constrained-delegation-acl,
112--                  referral-info[3]              HDB-Ext-Referrals,
113                    lm-owf[4]                     HDB-Ext-Lan-Manager-OWF,
114                    password[5]                             HDB-Ext-Password,
115                    aliases[6]                              HDB-Ext-Aliases,
116                    last-pw-change[7]             KerberosTime,
117                  pkinit-cert[8]                  HDB-Ext-PKINIT-cert,
118                  hist-keys[9]                              HDB-Ext-KeySet,
119                    hist-kvno-diff-clnt[10]                 INTEGER (0..4294967295),
120                    hist-kvno-diff-svc[11]                  INTEGER (0..4294967295),
121                  policy[12]                      UTF8String,
122                    principal-id[13]              INTEGER(-9223372036854775808..9223372036854775807),
123                    ...
124          },
125          ...
126}
127
128HDB-extensions ::= SEQUENCE OF HDB-extension
129
130hdb_entry ::= SEQUENCE {
131          principal[0]        Principal  OPTIONAL, -- this is optional only
132                                                       -- for compatibility with libkrb5
133          kvno[1]             INTEGER (0..4294967295),
134          keys[2]             Keys,
135          created-by[3]       Event,
136          modified-by[4]      Event OPTIONAL,
137          valid-start[5]      KerberosTime OPTIONAL,
138          valid-end[6]        KerberosTime OPTIONAL,
139          pw-end[7] KerberosTime OPTIONAL,
140          max-life[8]         INTEGER (0..4294967295) OPTIONAL,
141          max-renew[9]        INTEGER (0..4294967295) OPTIONAL,
142          flags[10] HDBFlags,
143          etypes[11]          SEQUENCE OF INTEGER (0..4294967295) OPTIONAL,
144          generation[12]      GENERATION OPTIONAL,
145        extensions[13]  HDB-extensions OPTIONAL
146}
147
148hdb_entry_alias ::= [APPLICATION 0] SEQUENCE {
149          principal[0]        Principal  OPTIONAL
150}
151
152END
153