Hi, Directory developers, Work in the kerberos-encryption-types branch has now stablized. I'll be doing more interop testing over the next week and I can think of some minor refactoring and other enhancements but everything is pretty much working. I just checked in a server.xml in server-main in the branch that shows how to enable Kerberos and Change Password, how to enable the encryption types, and where the KeyDerivationService interceptor needs to be inserted. So ...
1) The branch now supports the following encryption types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1-kd des-cbc-md5 des-cbc-crc This addresses JIRA issues: (DIRSERVER-141) Add DES3-CBC-SHA1-KD encryption system (DIRSERVER-142) Add support for AES encryption types (DIRSERVER-153) Make encryption system selection configurable 2) We now support automatic centralized key generation for Kerberos principals, using a KeyDerivationService interceptor. This interceptor will produce the following key types: DES DES3 AES128 AES256 RC4-HMAC This addresses JIRA issue: (DIRSERVER-897) Support automatic centralized key generation for Kerberos principals With the "key derivation" interceptor inserted in the service chain, changes to the 'userPassword' attribute now result in automatic key derivation or generation for Kerberos principals. If the special keyword 'randomKey' is used, the principal receives random keys. The interceptor works great whether the 'userPassword' is changed over the LDAP protocol, by the ChangePassword protocol, or by LDIF load. This is a testament to the interceptor service chain in the core. The interceptor will make working with Kerberos principals much easier. Enrique
