The Kerberos provider for Apache Directory implements RFC 1510, the Kerberos V5 Network Authentication Service. The purpose of Kerberos is to verify the identities of principals (users or services) on an unprotected network. While generally thought of as a single-sign-on technology, Kerberos' true strength is in authenticating users without ever sending their password over the network. Kerberos is designed for use on open (untrusted) networks and, therefore, operates under the assumption that packets traveling along the network can be read, modified, and inserted at will. This chart provides a good description of the protocol workflow.
Kerberos is named for the three-headed dog that guards the gates to Hades. The three heads are the client, the Kerberos server, and the network service being accessed.
The Apache Directory Kerberos provider is implemented as a protocol-provider plugin. As a plugin, the Kerberos provider leverages Apache Directory's MINA for front-end services and the Apache Directory read-optimized backing store via JNDI for persistent directory services.
The Kerberos provider for Apache Directory, in conjunction with MINA and the Apache Directory store, provides an easy-to-use yet fully-featured network authentication service. As implemented within the Apache Directory, the Kerberos provder will provide:
For help with Kerberos client configurations, check out our Interoperability Guide.