org.apache.directory.server.core.kerberos

Class KeyDerivationInterceptor

java.lang.Object

org.apache.directory.server.core.api.interceptor.BaseInterceptor

org.apache.directory.server.core.kerberos.KeyDerivationInterceptor

All Implemented Interfaces:

Interceptor

public class KeyDerivationInterceptor
extends BaseInterceptor

An Interceptor that creates symmetric Kerberos keys for users. When a 'userPassword' is added or modified, the 'userPassword' and 'krb5PrincipalName' are used to derive Kerberos keys. If the 'userPassword' is the special keyword 'randomKey', a random key is generated and used as the Kerberos key.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
(package private) static class	KeyDerivationInterceptor.ModifySubContext A ModifyContext used to store the changes made to the original context.

Field Summary

Fields

Modifier and Type	Field and Description
private org.apache.directory.api.ldap.model.schema.AttributeType	krb5KeyAT The krb5Key attribute type
private org.apache.directory.api.ldap.model.schema.AttributeType	krb5KeyVersionNumberAT The krb5KeyVersionNumber attribute type
private org.apache.directory.api.ldap.model.schema.AttributeType	krb5PrincipalNameAT The krb5PrincipalName attribute type
private static org.slf4j.Logger	LOG The log for this class.
private static org.slf4j.Logger	LOG_KRB
private static java.lang.String	NAME The service name.
private org.apache.directory.api.ldap.model.schema.AttributeType	userPasswordAT The userPassword attribute tType

Fields inherited from class org.apache.directory.server.core.api.interceptor.BaseInterceptor

directoryService, dnFactory, PWD_POLICY_STATE_ATTRIBUTE_TYPES, schemaManager

Constructor Summary

Constructors

Constructor and Description
KeyDerivationInterceptor() Creates an instance of a KeyDerivationInterceptor.

Method Summary

Modifier and Type	Method and Description
void	add(AddOperationContext addContext) Intercepts the addition of the 'userPassword' and 'krb5PrincipalName' attributes.
(package private) void	deriveKeys(ModifyOperationContext modContext, KeyDerivationInterceptor.ModifySubContext subContext) Use the 'userPassword' and 'krb5PrincipalName' attributes to derive Kerberos keys for the principal.
private void	detectPasswordModification(ModifyOperationContext modContext, KeyDerivationInterceptor.ModifySubContext subContext) Detect password modification by checking the modify request for the 'userPassword'.
private java.util.Map<EncryptionType,EncryptionKey>	generateKeys(java.lang.String principalName, java.lang.String userPassword) Generate the keys.
private org.apache.directory.api.ldap.model.entry.Attribute	getKeyAttribute(java.util.Map<EncryptionType,EncryptionKey> keys) Create the KRB5_KEY attribute with all the associated keys.
void	init(DirectoryService directoryService) This method does nothing by default.
private void	lookupPrincipalAttributes(ModifyOperationContext modContext, KeyDerivationInterceptor.ModifySubContext subContext) Lookup the principal's attributes that are relevant to executing key derivation.
void	modify(ModifyOperationContext modContext) Intercept the modification of the 'userPassword' attribute.

Methods inherited from class org.apache.directory.server.core.api.interceptor.BaseInterceptor

bind, compare, delete, destroy, getName, getNextInterceptor, getPrincipal, getRootDse, hasEntry, lookup, move, moveAndRename, next, next, next, next, next, next, next, next, next, next, next, next, next, rename, search, unbind

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LOG

private static final org.slf4j.Logger LOG

The log for this class.

LOG_KRB

private static final org.slf4j.Logger LOG_KRB

NAME

private static final java.lang.String NAME

The service name.

See Also:

Constant Field Values

krb5KeyAT

private org.apache.directory.api.ldap.model.schema.AttributeType krb5KeyAT

The krb5Key attribute type

krb5PrincipalNameAT

private org.apache.directory.api.ldap.model.schema.AttributeType krb5PrincipalNameAT

The krb5PrincipalName attribute type

krb5KeyVersionNumberAT

private org.apache.directory.api.ldap.model.schema.AttributeType krb5KeyVersionNumberAT

The krb5KeyVersionNumber attribute type

userPasswordAT

private org.apache.directory.api.ldap.model.schema.AttributeType userPasswordAT

The userPassword attribute tType

Constructor Detail

KeyDerivationInterceptor

public KeyDerivationInterceptor()

Creates an instance of a KeyDerivationInterceptor.

Method Detail

init

public void init(DirectoryService directoryService)
          throws org.apache.directory.api.ldap.model.exception.LdapException

This method does nothing by default.

Specified by:

init in interface Interceptor

Overrides:

init in class BaseInterceptor

Throws:

org.apache.directory.api.ldap.model.exception.LdapException

add

public void add(AddOperationContext addContext)
         throws org.apache.directory.api.ldap.model.exception.LdapException

Intercepts the addition of the 'userPassword' and 'krb5PrincipalName' attributes. Uses the 'userPassword' and 'krb5PrincipalName' attributes to derive Kerberos keys for the principal. If the 'userPassword' is the special keyword 'randomKey', set random keys for the principal. Set the key version number (kvno) to '0'.

Specified by:

add in interface Interceptor

Overrides:

add in class BaseInterceptor

Parameters:

addContext - The AddOperationContext instance

Throws:

org.apache.directory.api.ldap.model.exception.LdapException - If we had some error while processing the Add operation

modify

public void modify(ModifyOperationContext modContext)
            throws org.apache.directory.api.ldap.model.exception.LdapException

Intercept the modification of the 'userPassword' attribute. Perform a lookup to check for an existing principal name and key version number (kvno). If a 'krb5PrincipalName' is not in the modify request, attempt to use an existing 'krb5PrincipalName' attribute. If a kvno exists, increment the kvno; otherwise, set the kvno to '0'. If both a 'userPassword' and 'krb5PrincipalName' can be found, use the 'userPassword' and 'krb5PrincipalName' attributes to derive Kerberos keys for the principal. If the 'userPassword' is the special keyword 'randomKey', set random keys for the principal.

Specified by:

modify in interface Interceptor

Overrides:

modify in class BaseInterceptor

Throws:

org.apache.directory.api.ldap.model.exception.LdapException

detectPasswordModification

private void detectPasswordModification(ModifyOperationContext modContext,
                                        KeyDerivationInterceptor.ModifySubContext subContext)
                                 throws org.apache.directory.api.ldap.model.exception.LdapException

Detect password modification by checking the modify request for the 'userPassword'. Additionally, check to see if a 'krb5PrincipalName' was provided.

Parameters:

modContext - The original ModifyContext

subContext - The modification container

Throws:

org.apache.directory.api.ldap.model.exception.LdapException - If we get an exception

lookupPrincipalAttributes

private void lookupPrincipalAttributes(ModifyOperationContext modContext,
                                       KeyDerivationInterceptor.ModifySubContext subContext)
                                throws org.apache.directory.api.ldap.model.exception.LdapException

Lookup the principal's attributes that are relevant to executing key derivation.

Parameters:

modContext - The original ModifyContext

subContext - The modification container

Throws:

org.apache.directory.api.ldap.model.exception.LdapException - If we get an exception

deriveKeys

void deriveKeys(ModifyOperationContext modContext,
                KeyDerivationInterceptor.ModifySubContext subContext)
         throws org.apache.directory.api.ldap.model.exception.LdapException

Use the 'userPassword' and 'krb5PrincipalName' attributes to derive Kerberos keys for the principal. If the 'userPassword' is the special keyword 'randomKey', set random keys for the principal.

Parameters:

modContext - The original ModifyContext

subContext - The modification container

Throws:

org.apache.directory.api.ldap.model.exception.LdapException

getKeyAttribute

private org.apache.directory.api.ldap.model.entry.Attribute getKeyAttribute(java.util.Map<EncryptionType,EncryptionKey> keys)
                                                                     throws org.apache.directory.api.ldap.model.exception.LdapException

Create the KRB5_KEY attribute with all the associated keys.

Parameters:

keys - The keys to inject in the attribute

Returns:

The create attribute

Throws:

org.apache.directory.api.ldap.model.exception.LdapException - If we had an error while adding a key in the attribute

generateKeys

private java.util.Map<EncryptionType,EncryptionKey> generateKeys(java.lang.String principalName,
                                                                 java.lang.String userPassword)

Generate the keys.

Parameters:

principalName - The Principal

userPassword - Its password

Returns:

A Map of keys