Re: PKINIT - allowed principal format?

[Daniel Kouril <kouril@ics.muni.cz>]

On Thu, Oct 03, 2002 at 09:08:56AM -0400, STEWARD, Curtis (Jamestown) wrote:
> I'm new to Heimdal, it's the only opensource Kerberos
> implementation utilizing PKINIT that I know of, thanks.
> Activity looks limited though, what is the status, alternatives, 
> and expected update on PKINIT?
> 
> I've tried laters versions of Heimdal with no luck, so I
> assume no version later than 4e (as doc'd :) ) will work 
> with Heimdal, so I've loaded it and OpenSSL 9.6.g onto Redhat 7.3.
> I'm using the pkinit patch right off of pkinit.en.html.
> I can make things function up to the point of kinit'ing with the 
> PKINIT authentication.  I think the problem might be in the
> pki-allowed-principals format.  I'm understanding it should be 
> principal name and cert:
> 
> kdc.conf
> ...
> 
>  pki-certificate = /usr/local/ca/testkeys/cacert.pem
>  pki-private-key = /usr/local/ca/testkeys/cakey.pem
>  pki-ca-dir = /usr/local/ca/certs
>  pki-allowed-principals = {
>    root = /usr/local/ca/testkeys/cacert.pem
>  }

The formats of the pki-allowed-principals records is:
  PRINCIPAL = X500_NAME
which means that client authenticating with X.500 distinguished name
"X500_NAME" is allowed to get TGT with client principal "PRINCIPAL". For
example:
pki-allowed-principals = {
                   kouril = /O=CESNET/O=Masaryk University/CN=Daniel Kouril
}

P.S.
I have prepared a port to Heimdal 0.5, which contains many improvements done
mostly by Mario Strasser (client compatibility with Win2k, support of
smartcards etc.) I hope to releae it soon.

--
Dan