Fredrik Thulin <fredrik(a)yubico.com> wrote
Thu, 14 Apr 2011 21:25:24 +0200:
| On Thu, Apr 14, 2011 at 9:00 PM, Sumit Bose <sbose(a)redhat.com> wrote:
| ...
| > Yes, you can also find it in the MIT source in
| > src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema. The krbExtraData
| > attributre is used to store the Yubikey token id for the principal. It
| > is encoded so not easy to edit. I will add a utility to the rpm and web
| > site to make this easy.
|
| I ran into the same dilemma when implementing a MultiFactor
| authentication handler for Shibboleth. Ended up mapping usernames <->
| YubiKey public id's in a plain text file as a proof of concept only.
That's what I'll end up doing if this shows to be a too inconvenient way
of configuring various principal attributes. For testing stuff.
But let me first understand how krbExtraData ends up in
krb5_db_entry->tl_data. From populate_krb5_db_entry()
[plugins/kdb/ldap/libkdb_ldap/ldap_misc.c] it looks like it's a sequence
of BER encoded TLV's. If so, I should probably just find out how to
craft these in a reasonably convenient way.