directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From fel...@apache.org
Subject svn commit: r985841 [2/3] - in /directory/sandbox/felixk/apacheds-docs/src: advanced-user-guide/ advanced-user-guide/data/ advanced-user-guide/images/ main/resources/css/
Date Mon, 16 Aug 2010 09:35:48 GMT
Added: directory/sandbox/felixk/apacheds-docs/src/advanced-user-guide/chapter-protocol-providers.xml
URL: http://svn.apache.org/viewvc/directory/sandbox/felixk/apacheds-docs/src/advanced-user-guide/chapter-protocol-providers.xml?rev=985841&view=auto
==============================================================================
--- directory/sandbox/felixk/apacheds-docs/src/advanced-user-guide/chapter-protocol-providers.xml (added)
+++ directory/sandbox/felixk/apacheds-docs/src/advanced-user-guide/chapter-protocol-providers.xml Mon Aug 16 09:35:47 2010
@@ -0,0 +1,2988 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file 
+  distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under 
+  the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may 
+  obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to 
+  in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF 
+  ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under 
+  the License. -->
+<chapter
+  version="5.0"
+  xmlns="http://docbook.org/ns/docbook"
+  xmlns:xlink="http://www.w3.org/1999/xlink"
+  xmlns:xi="http://www.w3.org/2001/XInclude"
+  xmlns:ns5="http://www.w3.org/2000/svg"
+  xmlns:ns4="http://www.w3.org/1998/Math/MathML"
+  xmlns:ns3="http://www.w3.org/1999/xhtml"
+  xml:lang="en">
+  <title>Protocol Providers</title>
+  <section
+    id="Protocol Providers">
+    <title>Protocol Providers</title>
+    <important>
+      <title>Work in progress</title>
+      <para>This site is in the process of being reviewed and updated.</para>
+    </important>
+    <important>
+      <para>You are viewing pre-release documentation that contains changes to configuration that are scheduled for the
+        Apache Directory 1.5.1 release.</para>
+    </important>
+    <section
+      id="Apache Directory Protocol Providers">
+      <title>Apache Directory Protocol Providers</title>
+      <para>The Apache Directory Project's Protocol Providers are Java implementations of standard Internet services.
+        These Protocol Providers, in conjunction with the MINA network layer and the Apache Directory read-optimized
+        backing store, provide easy-to-use yet fully-featured Internet services. As implemented within the Apache
+        Directory, these services benefit from:</para>
+      <itemizedlist>
+        <listitem>
+          <para>Standard directory model and schema support</para>
+        </listitem>
+        <listitem>
+          <para>Standard LDAP data interchange format (LDIF) (RFC 2849)</para>
+        </listitem>
+        <listitem>
+          <para>Optional LDAP management</para>
+        </listitem>
+        <listitem>
+          <para>UDP and TCP Support (MINA)</para>
+        </listitem>
+        <listitem>
+          <para>Easy POJO embeddability for containers such as Geronimo, JBoss, and OSGi</para>
+        </listitem>
+      </itemizedlist>
+    </section>
+    <section
+      id="Service Configuration">
+      <title>Service Configuration</title>
+      <para>
+        All protocol providers are configured in a similar manner. Behind the scenes, all protocol provider
+        Configuration beans inherit from the same ServiceConfiguration and, therefore, they share many of the same
+        configuration parameters. For more information on the service configuration common to all protocol providers,
+        please see
+        <xref
+          linkend="Common Parameters for Configuration" />
+        .
+      </para>
+    </section>
+    <section
+      id="Changes from 1.5 to 1.5.1">
+      <title>Changes from 1.5 to 1.5.1</title>
+      <para>
+        Configuration has been revamped for the 1.5.1 release, along with the addition of SASL support in the LDAP
+        protocol. For more information on changes to configuration, please see
+        <xref
+          linkend="Changes to Configuration" />
+      </para>
+    </section>
+    <section
+      id="Protocol Providers table">
+      <title>Protocol Providers</title>
+      <table
+        id="Protocol Providers table 1">
+        <title>Protocol Providers</title>
+        <tgroup
+          cols="3">
+          <thead>
+            <row>
+              <entry>Name</entry>
+              <entry>Configuration</entry>
+              <entry>Description</entry>
+            </row>
+          </thead>
+          <tbody>
+            <row>
+              <entry>
+                <xref
+                  linkend="LDAP Protocol Provider" />
+              </entry>
+              <entry>
+                <xref
+                  linkend="LDAP Protocol Configuration" />
+              </entry>
+              <entry>
+                A Lightweight Directory Access Protocol (LDAP) implementation based on
+                <link
+                  xlink:href="http://www.faqs.org/rfcs/rfc2251.html">RFC 2251</link>
+                . Apache LDAP provides lightweight access to the Apache Directory backing store.
+              </entry>
+            </row>
+            <row>
+              <entry>
+                <xref
+                  linkend="Kerberos Protocol Provider" />
+              </entry>
+              <entry>
+                <xref
+                  linkend="Kerberos Protocol Configuration" />
+              </entry>
+              <entry>
+                A Kerberos implementation based on
+                <link
+                  xlink:href="http://www.faqs.org/rfcs/rfc1510.html">RFC 1510</link>
+                . Apache Kerberos verifies the identities of principals (users or services) on an unprotected network
+                using principal information stored in the Apache Directory backing store.
+              </entry>
+            </row>
+            <row>
+              <entry>
+                <xref
+                  linkend="Change Password Protocol Provider" />
+              </entry>
+              <entry>
+                <xref
+                  linkend="Change Password Configuration" />
+              </entry>
+              <entry>
+                A Change Password implementation based on
+                <link
+                  xlink:href="http://www.faqs.org/rfcs/rfc3244.html">RFC 3244</link>
+                . Apache Change Password uses Kerberos infrastructure to allow users to securely set initial passwords
+                or to change existing passwords stored in the Apache Directory backing store.
+              </entry>
+            </row>
+            <row>
+              <entry>
+                <xref
+                  linkend="DNS Protocol Provider" />
+              </entry>
+              <entry>
+                <xref
+                  linkend="DNS Protocol Configuration" />
+              </entry>
+              <entry>
+                A Domain Name System (DNS) implementation based on
+                <link
+                  xlink:href="http://www.faqs.org/rfcs/rfc1034.html">RFC 1034</link>
+                . Apache DNS serves host name to address mappings and other resource record types using resource records
+                stored in the Apache Directory backing store.
+              </entry>
+            </row>
+            <row>
+              <entry>
+                <xref
+                  linkend="NTP Protocol Provider" />
+              </entry>
+              <entry>
+                <xref
+                  linkend="NTP Protocol Configuration" />
+              </entry>
+              <entry>
+                A Network Time Protocol (NTP) implementation based on
+                <link
+                  xlink:href="http://www.faqs.org/rfcs/rfc2030.html">RFC 2030</link>
+                . Apache NTP supports time synchronization for LDAP replication and the Kerberos protocol, eliminating
+                the need for external infrastructure.
+              </entry>
+            </row>
+            <row>
+              <entry>
+                <xref
+                  linkend="DHCP Protocol Provider" />
+              </entry>
+              <entry>n/a</entry>
+              <entry>
+                A Dynamic Host Configuration Protocol (DHCP) implementation based on
+                <link
+                  xlink:href="http://www.faqs.org/rfcs/rfc2131.html">RFC 2131</link>
+                . Apache DHCP helps configure hosts using configuration information stored in the Apache Directory
+                backing store.
+              </entry>
+            </row>
+          </tbody>
+        </tgroup>
+      </table>
+    </section>
+  </section>
+  <section
+    id="Common Parameters for Configuration">
+    <title>Common Parameters for Configuration</title>
+    <important>
+      <title>Work in progress</title>
+      <para>This site is in the process of being reviewed and updated.</para>
+    </important>
+    <section
+      id="Changes to Configuration">
+      <title>Changes to Configuration</title>
+      <important>
+        <title>Work in progress</title>
+        <para>This site is in the process of being reviewed and updated.</para>
+      </important>
+      <section
+        id="Changes to LDAP configuration in 1.5.1">
+        <title>Changes to LDAP configuration in 1.5.1</title>
+        <para>LDAP and LDAPS now use separate beans for configuration. The only difference is that the use of SSL is
+          determined by parameter 'enabledLdaps'. Both LDAP and LDAPS must support certificate configuration because
+          LDAP may use Start TLS, while LDAPS has SSL enabled "full time." Both LDAP and LDAPS follow parameter naming
+          conventions with all the other protocol providers. So, the former ldapPort is now ipPort and the former
+          ldapsPort is also now ipPort.</para>
+        <para>Also due to the common configuration used by all protocol providers, individual protocols are no longer
+          enabled in MutableServerStartupConfiguration. Instead, individual services are enabled using the parameter
+          'enabled' on their individual beans.</para>
+      </section>
+      <section
+        id="Changes to the other protocols in 1.5.1">
+        <title>Changes to the other protocols in 1.5.1</title>
+        <para>All protocols except LDAP are disabled by default.</para>
+        <para>The Kerberos protocol provider is no longer configured with a Map of properties. All configuration
+          properties are now available on a bean and configurable using Spring XML.</para>
+        <para>The Change Password protocol provider is no longer configured with a Map of properties. All configuration
+          properties are now available on a bean and configurable using Spring XML.</para>
+        <para>The NTP protocol provider is no longer configured with a Map of properties. All configuration properties
+          are now available on a bean and configurable using Spring XML.</para>
+        <para>DNS has now been enabled in ServerContextFactory. The DNS protocol provider is no longer configured with a
+          Map of properties. All configuration properties are now available on a bean and configurable using Spring XML.
+        </para>
+      </section>
+    </section>
+    <section
+      id="Configuration Parameters Reference">
+      <title>Configuration Parameters Reference</title>
+      <important>
+        <title>Work in progress</title>
+      </important>
+      <para>This page lists all configuration parameters which can be used in conf/server.xml in Version 1.5.1. For a
+        more detailed description look at the corresponding section in the Advanced User's Guide.</para>
+      <itemizedlist>
+        <listitem>
+          <para>
+            <xref
+              linkend="Environment parameters" />
+          </para>
+        </listitem>
+        <listitem>
+          <para>
+            <xref
+              linkend="Protocol providers configuration parameters" />
+          </para>
+          <itemizedlist
+            mark="opencircle">
+            <listitem>
+              <para>
+                <xref
+                  linkend="Parameters common to all protocol providers" />
+              </para>
+            </listitem>
+            <listitem>
+              <para>
+                <xref
+                  linkend="LDAP-Specific Configuration Parameters" />
+              </para>
+            </listitem>
+            <listitem>
+              <para>
+                <xref
+                  linkend="Kerberos-Specific Configuration Parameters" />
+              </para>
+            </listitem>
+            <listitem>
+              <para>
+                <xref
+                  linkend="Change Password-Specific Configuration Parameters" />
+              </para>
+            </listitem>
+            <listitem>
+              <para>
+                <xref
+                  linkend="NTP-Specific configuration parameters" />
+              </para>
+            </listitem>
+            <listitem>
+              <para>
+                <xref
+                  linkend="DHCP-Specific configuration parameters" />
+              </para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+        <listitem>
+          <para>
+            <xref
+              linkend="Server Startup Configuration" />
+          </para>
+          <itemizedlist
+            mark="opencircle">
+            <listitem>
+              <para>
+                <xref
+                  linkend="Replication Startup Configuration" />
+              </para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+        <listitem>
+          <para>
+            <xref
+              linkend="Partition Configuration" />
+          </para>
+        </listitem>
+      </itemizedlist>
+      <section
+        id="Environment parameters">
+        <title>Environment parameters</title>
+        <para>
+          Those parameters are loaded in the
+          <emphasis
+            role="bold">org.apache.directory.server.Service.java</emphasis>
+          class, when the server is started, in the init method :
+        </para>
+        <programlisting><![CDATA[
+public void init( InstallationLayout install, String[] args ) throws Exception
+    {
+        ...
+
+        if ( install != null )
+        {
+            log.info( "server: loading settings from ", install.getConfigurationFile() );
+            ...
+            env = ( Properties ) factory.getBean( "environment" );
+        ...
+        ]]></programlisting>
+        <para>They are used everywhere in the server.</para>
+        <para>
+          The "environment" bean is read from the Spring configuration file,
+          <emphasis
+            role="bold">server.xml</emphasis>
+          , shown below :
+        </para>
+        <programlisting><![CDATA[
+<bean id="environment" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
+    <property name="properties">
+      <props>
+        <!-- JNDI security properties used to get initial contexts.         -->
+        <prop key="java.naming.security.authentication">simple</prop>
+        <prop key="java.naming.security.principal">uid=admin,ou=system</prop>
+        <prop key="java.naming.security.credentials">secret</prop>
+        <!--
+        <prop key="java.naming.ldap.attributes.binary"></prop>
+        -->
+      </props>
+    </property>
+  </bean>
+        ]]></programlisting>
+        <important>
+          <para>The bean name ("environment") may be renamed to something more explicit, like "serverEnvironment", IMHO
+          </para>
+        </important>
+        <table
+          id="Environment parameters table">
+          <title>Environment parameters</title>
+          <tgroup
+            cols="4">
+            <thead>
+              <row>
+                <entry>Parameter</entry>
+                <entry>Default value</entry>
+                <entry>Description</entry>
+                <entry>Comment</entry>
+              </row>
+            </thead>
+            <tbody>
+              <row>
+                <entry>java.naming.security.authentication</entry>
+                <entry>simple</entry>
+                <entry>The kind of authentication used for the admin.</entry>
+                <entry>Shouldn't it be SASL now ?</entry>
+              </row>
+              <row>
+                <entry>java.naming.security.principal</entry>
+                <entry>uid=admin,ou=system</entry>
+                <entry>The admin DN</entry>
+                <entry>Can be changed to another DN</entry>
+              </row>
+              <row>
+                <entry>java.naming.security.credentials</entry>
+                <entry>secret</entry>
+                <entry>The principal password</entry>
+                <entry>must be changed at startup!!!</entry>
+              </row>
+              <row>
+                <entry>java.naming.ldap.attributes.binary</entry>
+                <entry>empty</entry>
+                <entry>The list of binary attributes</entry>
+                <entry>
+                  In LDAP, only a few AT are declared as binary.<?linebreak?>
+                  This is were we should describe the other ones
+                </entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </table>
+        <important>
+          <para>The admin password should be changed when the server is started. A good thing would be that the server
+            cannot start if this password is kept as is.</para>
+        </important>
+      </section>
+      <section
+        id="Protocol providers configuration parameters">
+        <title>Protocol providers</title>
+        <section
+          id="Parameters common to all protocol providers">
+          <title>Parameters common to all protocol providers</title>
+          <para>Since all protocol provider Configuration beans inherit from the same ServiceConfiguration, they share
+            many of the same configuration parameters.</para>
+          <table
+            id="Parameters common to all protocol providers table">
+            <title>Parameters common to all protocol providers</title>
+            <tgroup
+              cols="3">
+              <thead>
+                <row>
+                  <entry>Parameter</entry>
+                  <entry>Default value</entry>
+                  <entry>Description</entry>
+                </row>
+              </thead>
+              <tbody>
+                <row>
+                  <entry>enabled</entry>
+                  <entry>false</entry>
+                  <entry>Whether this service is enabled.</entry>
+                </row>
+                <row>
+                  <entry>ipPort</entry>
+                  <entry>No default.</entry>
+                  <entry>The IP port for this service.</entry>
+                </row>
+                <row>
+                  <entry>ipAddress</entry>
+                  <entry>No default.</entry>
+                  <entry>The IP address for this service.</entry>
+                </row>
+                <row>
+                  <entry>searchBaseDn</entry>
+                  <entry>"ou=users,ou=system"</entry>
+                  <entry>
+                    The single location where users that can be SASL authenticated are stored.
+                    &lt;to
+                    be
+                    clarified&gt;
+                    The
+                    definition of "entries" depends on the protocol. For example, for LDAP, Kerberos, and Change
+                    Password, entries are users for purposes of authentication. For DNS, entries are resource records.
+                    If this property is not set the store will search the system partition configuration for catalog
+                    entries.
+                    <emphasis
+                      role="bold">Catalog support is highly experimental and is only tested in the OSGi build of ApacheDS
+                      using
+                      the Config Admin service</emphasis>.&lt;to
+                    be clarified/&gt;
+                  </entry>
+                </row>
+              </tbody>
+            </tgroup>
+          </table>
+          <warning>
+            <title>recent inclusion</title>
+            <para>This last parameter has been included with the last SASL addition. The description is not giving a lot
+              of information about what is this parameter about, except for SASL authentication. The parameter name is
+              not significant, and another one should be selected, IMHO.</para>
+            <para>Can soemone elaborate what this parameter is about ?</para>
+          </warning>
+          <table
+            id="Parameters common to all protocol providers table 1">
+            <title>Parameters common to all protocol providers 1</title>
+            <tgroup
+              cols="3">
+              <thead>
+                <row>
+                  <entry>Parameter</entry>
+                  <entry>Default value</entry>
+                  <entry>Description</entry>
+                </row>
+              </thead>
+              <tbody>
+                <row>
+                  <entry>initialContextFactory</entry>
+                  <entry>"org.apache.directory.server.core.jndi.CoreContextFactory"</entry>
+                  <entry>The JNDI initial context factory to use.</entry>
+                </row>
+                <row>
+                  <entry>securityAuthentication</entry>
+                  <entry>"simple"</entry>
+                  <entry>The authentication mechanism to use for establishing a JNDI context.</entry>
+                </row>
+                <row>
+                  <entry>securityPrincipal</entry>
+                  <entry>"uid=admin,ou=system"</entry>
+                  <entry>The principal to use for establishing a JNDI context.</entry>
+                </row>
+                <row>
+                  <entry>securityCredentials</entry>
+                  <entry>"secret"</entry>
+                  <entry>The credentials to use for establishing a JNDI context.</entry>
+                </row>
+                <row>
+                  <entry>serviceName</entry>
+                  <entry>No default.</entry>
+                  <entry>The friendly name of this service.</entry>
+                </row>
+                <row>
+                  <entry>servicePid</entry>
+                  <entry>No default.</entry>
+                  <entry>The PID for this service. A PID is a unique identifier for an instance of a service. PID's are
+                    used by OSGi's Config Admin service to dynamically inject configuration into a service when the
+                    service is started.</entry>
+                </row>
+                <row>
+                  <entry>bufferSize</entry>
+                  <entry>No default.</entry>
+                  <entry>The MINA buffer size for this service.</entry>
+                </row>
+                <row>
+                  <entry>catalogBaseDn</entry>
+                  <entry>No default.</entry>
+                  <entry>
+                    The single location where catalog entries are stored. A catalog entry is a mapping of a realm (or
+                    zone for DNS) to a search base DN. If this property is not set the store will expect a single search
+                    base DN to be set.
+                    <emphasis
+                      role="bold">Catalog support is highly experimental and is only tested in the OSGi build of ApacheDS using
+                      the Config Admin service.</emphasis>
+                  </entry>
+                </row>
+              </tbody>
+            </tgroup>
+          </table>
+          <warning>
+            <para>It would be good to have more insight about catalogs.</para>
+          </warning>
+        </section>
+        <section
+          id="LDAP-Specific Configuration Parameters Protocol providers configuration parameters">
+          <title>LDAP-Specific Configuration Parameters</title>
+          <warning>
+            <para>We have had a lot of modification in this part. Some of them are really going in the right direction,
+              some other needs to be tuned.
+              First, all the previous configuration has been moved from the common part to
+              a specific LdapConfiguration part : that
+              is a good move
+              Second, we now have a new configuration called
+              "ldapsConfiguration", but I'm afraid that some informations are missing.
+              Third, I don't know if we should
+              have only one configuration called "ldapConfiguration", or three
+              ("ldapConfiguration", "ldapsConfiguration"
+              and" ldapSASLConfiguration". Atm, we have two.</para>
+          </warning>
+          <para>Here is the latest version of the ldap configuration :</para>
+          <programlisting><![CDATA[
+  <bean id="ldapConfiguration" class="org.apache.directory.server.ldap.LdapConfiguration">
+    <!-- The port to run the LDAP protocol on.                              -->
+    <property name="ipPort" value="10389" />
+
+    <!-- Whether to allow anonymous access.                                 -->
+    <property name="allowAnonymousAccess" value="false" />
+    
+    <!-- The list of supported authentication mechanisms.                   -->
+    <property name="supportedMechanisms">
+      <list>
+        <value>SIMPLE</value>
+        <value>CRAM-MD5</value>
+        <value>DIGEST-MD5</value>
+        <!--<value>GSSAPI</value>-->
+      </list>
+    </property>
+    
+    <!-- The FQDN of this SASL host, validated during SASL negotiation.     -->
+    <property name="saslHost" value="ldap.example.com" />
+    
+    <!-- The Kerberos principal name for this LDAP service, used by GSSAPI. -->
+    <property name="saslPrincipal" value="ldap/ldap.example.com@EXAMPLE.COM" />
+    
+    <!-- The desired quality-of-protection, used by DIGEST-MD5 and GSSAPI.  -->
+    <property name="saslQop">
+      <list>
+        <value>auth</value>
+        <value>auth-int</value>
+        <value>auth-conf</value>
+      </list>
+    </property>
+    
+    <!-- The realms serviced by this SASL host, used by DIGEST-MD5 and GSSAPI. -->
+    <property name="saslRealms">
+      <list>
+        <value>example.com</value>
+        <value>apache.org</value>
+      </list>
+    </property>
+    
+    <!-- The base DN containing users that can be SASL authenticated.       -->
+    <property name="searchBaseDn" value="ou=users,ou=system" />
+    
+    <!-- SSL CONFIG CAN GO HERE-->
+    
+    <!-- limits searches by non-admin users to a max time of 15000          -->
+    <!-- milliseconds and has a default value of 10000                      -->
+    <property name="maxTimeLimit" value="15000" />
+
+    <!-- limits searches to max size of 1000 entries: default value is 100  -->
+    <property name="maxSizeLimit" value="1000" />
+
+    <!-- the collection of extended operation handlers to install           -->
+    <property name="extendedOperationHandlers">
+      <list>
+        <!--<bean class="org.apache.directory.server.ldap.support.starttls.StartTlsHandler"/>-->
+        <bean class="org.apache.directory.server.ldap.support.extended.GracefulShutdownHandler"/>
+
+        <bean class="org.apache.directory.server.ldap.support.extended.LaunchDiagnosticUiHandler"/>
+      </list>
+    </property>
+  </bean>
+          ]]></programlisting>
+          <table
+            id="LDAP-Specific Configuration Parameters 1 table">
+            <title>LDAP-Specific Configuration Parameters 1</title>
+            <tgroup
+              cols="4">
+              <thead>
+                <row>
+                  <entry>Parameter</entry>
+                  <entry>Default value</entry>
+                  <entry>Description</entry>
+                  <entry>Comments</entry>
+                </row>
+              </thead>
+              <tbody>
+                <row>
+                  <entry>ipPort</entry>
+                  <entry>10389</entry>
+                  <entry>The IP port used by the ldap server</entry>
+                  <entry>We are using a port above 1024 to allow non root users to launch the server</entry>
+                </row>
+                <row>
+                  <entry>allowAnonymousAccess</entry>
+                  <entry>false</entry>
+                  <entry>Whether to allow anonymous access</entry>
+                  <entry>
+                    Was
+                    <emphasis
+                      role="bold">true</emphasis>
+                    in the previous version
+                  </entry>
+                </row>
+                <row>
+                  <entry>supportedMechanisms</entry>
+                  <entry>SIMPLE, CRAM-MD5, DIGEST-MD5</entry>
+                  <entry>The supported authentication mechanisms</entry>
+                  <entry>The GSSAPI mechanism has been temporarilly disabled</entry>
+                </row>
+              </tbody>
+            </tgroup>
+          </table>
+          <important>
+            <para>We have to figure out if we should reactivate this GSSAPI configuration, or not. Not a simple matter,
+              right now. If SASL is to be moved to another configuration, then maybe it should be activated as a default
+              value. TO BE DISCUSSED...</para>
+          </important>
+          <table
+            id="LDAP-Specific Configuration Parameters 2 table">
+            <title>LDAP-Specific Configuration Parameters 2</title>
+            <tgroup
+              cols="4">
+              <thead>
+                <row>
+                  <entry>Parameter</entry>
+                  <entry>Default value</entry>
+                  <entry>Description</entry>
+                  <entry>Comments</entry>
+                </row>
+              </thead>
+              <tbody>
+                <row>
+                  <entry>saslHost</entry>
+                  <entry>ldap.example.com</entry>
+                  <entry>The name of this host, validated during SASL negotiation.</entry>
+                  <entry>The host name must be selected with great caution</entry>
+                </row>
+                <row>
+                  <entry>saslPrincipal</entry>
+                  <entry>ldap/ldap.example.com@EXAMPLE.COM</entry>
+                  <entry>The service principal, used by GSSAPI.</entry>
+                  <entry></entry>
+                </row>
+                <row>
+                  <entry>saslQop</entry>
+                  <entry>auth, auth-int, auth-conf</entry>
+                  <entry>The quality of protection (QoP), used by DIGEST-MD5 and GSSAPI.</entry>
+                  <entry></entry>
+                </row>
+                <row>
+                  <entry>saslRealms</entry>
+                  <entry>example.com</entry>
+                  <entry>The list of realms serviced by this host.</entry>
+                  <entry></entry>
+                </row>
+                <row>
+                  <entry>maxSizeLimit</entry>
+                  <entry>100</entry>
+                  <entry>The maximum size limit.</entry>
+                  <entry></entry>
+                </row>
+                <row>
+                  <entry>maxTimeLimit</entry>
+                  <entry>10000</entry>
+                  <entry>The maximum time limit.</entry>
+                  <entry></entry>
+                </row>
+                <row>
+                  <entry>enableLdaps</entry>
+                  <entry>false</entry>
+                  <entry>Whether LDAPS is enabled.</entry>
+                  <entry></entry>
+                </row>
+                <row>
+                  <entry>ldapsCertificateFile</entry>
+                  <entry>server-work/certificates/server.cert</entry>
+                  <entry>The path to the certificate file.</entry>
+                  <entry></entry>
+                </row>
+                <row>
+                  <entry>ldapsCertificatePassword</entry>
+                  <entry>changeit</entry>
+                  <entry>The certificate password.</entry>
+                  <entry></entry>
+                </row>
+                <row>
+                  <entry>extendedOperationHandlers</entry>
+                  <entry>No default.</entry>
+                  <entry>The extended operation handlers.</entry>
+                  <entry></entry>
+                </row>
+              </tbody>
+            </tgroup>
+          </table>
+        </section>
+        <section
+          id="Kerberos-Specific Configuration Parameters">
+          <title>Kerberos-Specific Configuration Parameters</title>
+          <programlisting><![CDATA[
+<bean id="kdcConfiguration" class="org.apache.directory.server.kerberos.kdc.KdcConfiguration">
+    <!-- Whether to enable the Kerberos protocol.                           -->
+    <property name="enabled" value="false" />
+    <!-- The port to run the Kerberos protocol on.                          -->
+    <property name="ipPort" value="88" />
+</bean>
+          ]]></programlisting>
+          <table
+            id="Kerberos-Specific Configuration Parameters table">
+            <title>Kerberos-Specific Configuration Parameters</title>
+            <tgroup
+              cols="3">
+              <thead>
+                <row>
+                  <entry>Parameter</entry>
+                  <entry>Default value</entry>
+                  <entry>Description</entry>
+                </row>
+              </thead>
+              <tbody>
+                <row>
+                  <entry>encryptionTypes</entry>
+                  <entry>des-cbc-md5</entry>
+                  <entry>The encryption types.</entry>
+                </row>
+                <row>
+                  <entry>primaryRealm</entry>
+                  <entry>EXAMPLE.COM</entry>
+                  <entry>The primary realm.</entry>
+                </row>
+                <row>
+                  <entry>servicePrincipal</entry>
+                  <entry>krbtgt/EXAMPLE.COM@EXAMPLE.COM</entry>
+                  <entry>The service principal name.</entry>
+                </row>
+                <row>
+                  <entry>allowableClockSkew</entry>
+                  <entry>5 minutes</entry>
+                  <entry>The allowable clock skew.</entry>
+                </row>
+                <row>
+                  <entry>paEncTimestampRequired</entry>
+                  <entry>true</entry>
+                  <entry>Whether pre-authentication by encrypted timestamp is required.</entry>
+                </row>
+                <row>
+                  <entry>maximumTicketLifetime</entry>
+                  <entry>1440 (24 hours)</entry>
+                  <entry>The maximum ticket lifetime.</entry>
+                </row>
+                <row>
+                  <entry>maximumRenewableLifetime</entry>
+                  <entry>10080 (1 week)</entry>
+                  <entry>The maximum renewable lifetime.</entry>
+                </row>
+                <row>
+                  <entry>emptyAddressesAllowed</entry>
+                  <entry>true</entry>
+                  <entry>Whether ticket issuance for empty Host Addresses is allowed.</entry>
+                </row>
+                <row>
+                  <entry>forwardableAllowed</entry>
+                  <entry>true</entry>
+                  <entry>Whether forwardable tickets are allowed.</entry>
+                </row>
+                <row>
+                  <entry>proxiableAllowed</entry>
+                  <entry>true</entry>
+                  <entry>Whether proxiable tickets are allowed.</entry>
+                </row>
+                <row>
+                  <entry>postdateAllowed</entry>
+                  <entry>true</entry>
+                  <entry>Whether postdated tickets are allowed.</entry>
+                </row>
+                <row>
+                  <entry>renewableAllowed</entry>
+                  <entry>true</entry>
+                  <entry>Whether renewable tickets are allowed.</entry>
+                </row>
+              </tbody>
+            </tgroup>
+          </table>
+        </section>
+        <section
+          id="Change Password-Specific Configuration Parameters">
+          <title>Change Password-Specific Configuration Parameters</title>
+          <programlisting><![CDATA[
+<bean id="changePasswordConfiguration" class="org.apache.directory.server.changepw.ChangePasswordConfiguration">
+    <!-- Whether to enable the Change Password protocol.                    -->
+    <property name="enabled" value="false" />
+    <!-- The port to run the Change Password protocol on.                   -->
+    <property name="ipPort" value="464" />
+</bean>
+          ]]></programlisting>
+          <table
+            id="Change Password-Specific Configuration Parameters table">
+            <title>Change Password-Specific Configuration Parameters</title>
+            <tgroup
+              cols="3">
+              <thead>
+                <row>
+                  <entry>Parameter</entry>
+                  <entry>Default value</entry>
+                  <entry>Description</entry>
+                </row>
+              </thead>
+              <tbody>
+                <row>
+                  <entry>encryptionTypes</entry>
+                  <entry>des-cbc-md5</entry>
+                  <entry>The encryption types.</entry>
+                </row>
+                <row>
+                  <entry>primaryRealm</entry>
+                  <entry>EXAMPLE.COM</entry>
+                  <entry>The primary realm.</entry>
+                </row>
+                <row>
+                  <entry>servicePrincipal</entry>
+                  <entry>kadmin/changepw@EXAMPLE.COM</entry>
+                  <entry>The service principal name.</entry>
+                </row>
+                <row>
+                  <entry>allowableClockSkew</entry>
+                  <entry>5 minutes</entry>
+                  <entry>The allowable clock skew.</entry>
+                </row>
+                <row>
+                  <entry>emptyAddressesAllowed</entry>
+                  <entry>true</entry>
+                  <entry>Whether tickets issued with empty Host Addresses are allowed.</entry>
+                </row>
+                <row>
+                  <entry>policyPasswordLength</entry>
+                  <entry>6 characters</entry>
+                  <entry>The policy for minimum password length.</entry>
+                </row>
+                <row>
+                  <entry>policyCategoryCount</entry>
+                  <entry>3 (out of 4)</entry>
+                  <entry>The policy for number of character categories required (A - Z), (a - z), (0 - 9),
+                    non-alphanumeric (!, $, #, %, ... ).</entry>
+                </row>
+                <row>
+                  <entry>policyTokenSize</entry>
+                  <entry>3 characters</entry>
+                  <entry>The policy for minimum token size. Passwords must not contain tokens larger than
+                    'policyTokenSize' that occur in the user's principal name.</entry>
+                </row>
+              </tbody>
+            </tgroup>
+          </table>
+        </section>
+        <section
+          id="NTP-Specific configuration parameters">
+          <title>NTP-Specific configuration parameters</title>
+          <para>The NTP parameters are very limited :</para>
+          <programlisting><![CDATA[
+<bean id="ntpConfiguration" class="org.apache.directory.server.ntp.NtpConfiguration">
+    <!-- Whether to enable the NTP protocol.                                -->
+    <property name="enabled" value="true" />
+
+    <!-- The port to run the NTP protocol on.                               -->
+    <property name="ipPort" value="123" />
+</bean>
+          ]]></programlisting>
+          <para>Here is the table containing the default configuration :</para>
+          <table
+            id="NTP-Specific configuration parameters table">
+            <title>NTP-Specific configuration parameters</title>
+            <tgroup
+              cols="4">
+              <thead>
+                <row>
+                  <entry>Parameter</entry>
+                  <entry>Default value</entry>
+                  <entry>Description</entry>
+                  <entry>Comments</entry>
+                </row>
+              </thead>
+              <tbody>
+                <row>
+                  <entry>enabled</entry>
+                  <entry>true</entry>
+                  <entry>Tells if the service is on or off</entry>
+                  <entry>Should be OFF by default</entry>
+                </row>
+                <row>
+                  <entry>ipPort</entry>
+                  <entry>123</entry>
+                  <entry>The default port</entry>
+                  <entry></entry>
+                </row>
+              </tbody>
+            </tgroup>
+          </table>
+          <important>
+            <para>Just wanted to know if the UDP and TCP should be enabled or if the server just accept TCP ?</para>
+          </important>
+        </section>
+        <section
+          id="DHCP-Specific configuration parameters">
+          <title>DHCP-Specific configuration parameters</title>
+          <para>There is no description about DHCP parameters atm.</para>
+        </section>
+      </section>
+      <section
+        id="Server Startup Configuration">
+        <title>Server Startup Configuration</title>
+        <section
+          id="Replication Startup Configuration">
+          <title>Replication</title>
+          <programlisting><![CDATA[
+<bean class="org.apache.directory.server.core.configuration.MutableInterceptorConfiguration">
+  <property name="name" value="replicationService" />
+    <property name="interceptor">
+      <bean class="org.apache.directory.mitosis.service.ReplicationService">
+        <property name="configuration">
+          <bean class="org.apache.directory.mitosis.configuration.ReplicationConfiguration">
+            <property name="replicaId">
+              <bean class="org.apache.directory.mitosis.common.ReplicaId">
+                <constructor-arg>
+                  <value>instance_a</value>
+                  </constructor-arg>
+                </bean>
+              </property>
+            <property name="serverPort" value="10390" />
+          <property name="peerReplicas" value="instance_b@localhost:10392" />
+        </bean>
+      </property>
+    </bean>
+  </property>
+</bean>
+          ]]></programlisting>
+          <table
+            id="Replication Startup Configuration table">
+            <title>Replication Startup Configuration</title>
+            <tgroup
+              cols="4">
+              <thead>
+                <row>
+                  <entry>Parameter</entry>
+                  <entry>Default value</entry>
+                  <entry>Description</entry>
+                  <entry>Comments</entry>
+                </row>
+              </thead>
+              <tbody>
+                <row>
+                  <entry></entry>
+                  <entry></entry>
+                  <entry></entry>
+                  <entry></entry>
+                </row>
+              </tbody>
+            </tgroup>
+          </table>
+        </section>
+      </section>
+      <section
+        id="Partition Configuration">
+        <title>Partition Configuration</title>
+        <para>TODO ???</para>
+      </section>
+    </section>
+  </section>
+  <section
+    id="LDAP Protocol Provider">
+    <title>LDAP Protocol Provider</title>
+    <important>
+      <title>Work in progress</title>
+      <para>This site is in the process of being reviewed and updated.</para>
+    </important>
+    <important>
+      <para>LDAP Protocol configuration is currently being revamped in the SASL branch, as part of making SASL
+        configurable.</para>
+    </important>
+    <section
+      id="Before LDAP Protocol Provider">
+      <title>Before</title>
+      <para>Previously, LDAP protocol configuration existed in the MutableServerStartupConfiguration, along with Core
+        and Partition configuration.</para>
+      <programlisting><![CDATA[
+  <bean id="configuration" class="org.apache.directory.server.configuration.MutableServerStartupConfiguration">
+    <property name="ldapPort" value="389" />
+    <property name="allowAnonymousAccess" value="false" />
+
+    <!-- limits searches by non-admin users to a max time of 15000          -->
+    <!-- milliseconds and has a default value of 10000                      -->
+    <property name="maxTimeLimit" value="15000" />
+
+    <!-- limits searches to max size of 1000 entries: default value is 100  -->
+    <property name="maxSizeLimit" value="1000" />
+
+    <property name="extendedOperationHandlers">
+      <list>
+        <bean class="org.apache.directory.server.ldap.support.starttls.StartTlsHandler"/>
+        <bean class="org.apache.directory.server.ldap.support.extended.GracefulShutdownHandler"/>
+        <bean class="org.apache.directory.server.ldap.support.extended.LaunchDiagnosticUiHandler"/>
+      </list>
+    </property>
+  </bean>
+    ]]></programlisting>
+    </section>
+    <section
+      id="After LDAP Protocol Provider">
+      <title>After</title>
+      <para>At the same time as the addition of numerous configuration parameters for SASL, LDAP protocol configuration
+        has all moved to an LdapConfiguration bean.</para>
+      <programlisting><![CDATA[
+  <bean id="ldapConfiguration" class="org.apache.directory.server.ldap.LdapConfiguration">
+    <!-- The port to run the LDAP protocol on.                              -->
+    <property name="ipPort" value="389" />
+    <!-- Whether to allow anonymous access.                                 -->
+    <property name="allowAnonymousAccess" value="true" />
+    
+    <!-- BEGIN NEW SASL CONFIG -->
+    
+    <!-- The list of supported authentication mechanisms.                   -->
+    <property name="supportedMechanisms">
+      <list>
+        <value>SIMPLE</value>
+        <value>CRAM-MD5</value>
+        <value>DIGEST-MD5</value>
+        <value>GSSAPI</value>
+      </list>
+    </property>
+    
+    <!-- The FQDN of this SASL host, validated during SASL negotiation.     -->
+    <property name="saslHost" value="ldap.example.com" />
+    
+    <!-- The Kerberos principal name for this LDAP service, used by GSSAPI. -->
+    <property name="saslPrincipal" value="ldap/ldap.example.com@EXAMPLE.COM" />
+    
+    <!-- The desired quality-of-protection, used by DIGEST-MD5 and GSSAPI.  -->
+    <property name="saslQop">
+      <list>
+        <value>auth</value>
+        <value>auth-int</value>
+        <value>auth-conf</value>
+      </list>
+    </property>
+    
+    <!-- The realms serviced by this SASL host, used by DIGEST-MD5 and GSSAPI. -->
+    <property name="saslRealms">
+      <list>
+        <value>example.com</value>
+        <value>apache.org</value>
+      </list>
+    </property>
+    
+    <!-- The base DN containing users that can be SASL authenticated.       -->
+    <property name="searchBaseDn" value="ou=users,dc=example,dc=com" />
+    
+    <!-- END NEW SASL CONFIG -->
+    
+    <!-- SSL CONFIG CAN GO HERE-->
+    
+    <!-- limits searches by non-admin users to a max time of 15000          -->
+    <!-- milliseconds and has a default value of 10000                      -->
+    <property name="maxTimeLimit" value="15000" />
+    <!-- limits searches to max size of 1000 entries: default value is 100  -->
+    <property name="maxSizeLimit" value="1000" />
+    <!-- the collection of extended operation handlers to install           -->
+    <property name="extendedOperationHandlers">
+      <list>
+        <bean class="org.apache.directory.server.ldap.support.starttls.StartTlsHandler"/>
+        <bean class="org.apache.directory.server.ldap.support.extended.GracefulShutdownHandler"/>
+        <bean class="org.apache.directory.server.ldap.support.extended.LaunchDiagnosticUiHandler"/>
+      </list>
+    </property>
+  </bean>
+    ]]></programlisting>
+      <para>The LdapConfiguration bean is subordinate to the MutableServerStartupConfiguration.</para>
+      <programlisting><![CDATA[
+<bean id="configuration" class="org.apache.directory.server.configuration.MutableServerStartupConfiguration">
+  ...
+  <property name="ldapConfiguration" ref="ldapConfiguration" />
+  ...
+</bean>
+    ]]></programlisting>
+    </section>
+    <section
+      id="Common Service Configuration Parameters">
+      <title>Common Service Configuration Parameters</title>
+      <table
+        id="Common Service Configuration Parameters table">
+        <title>Common Service Configuration Parameters</title>
+        <tgroup
+          cols="3">
+          <thead>
+            <row>
+              <entry>Parameter</entry>
+              <entry>Default value</entry>
+              <entry>Description</entry>
+            </row>
+          </thead>
+          <tbody>
+            <row>
+              <entry>enabled</entry>
+              <entry>true</entry>
+              <entry>Whether this service is enabled.</entry>
+            </row>
+            <row>
+              <entry>ipPort</entry>
+              <entry>389</entry>
+              <entry>The IP port for this service.</entry>
+            </row>
+            <row>
+              <entry>ipAddress</entry>
+              <entry>No default.</entry>
+              <entry>The IP address for this service.</entry>
+            </row>
+            <row>
+              <entry>searchBaseDn</entry>
+              <entry>"ou=users,dc=example,dc=com"</entry>
+              <entry>
+                The single location where users are stored. If this property is not set the store will search the system
+                partition configuration for catalog entries.
+                <emphasis
+                  role="bold">Catalog support is highly experimental and is only tested in the OSGi build of ApacheDS using the
+                  Config Admin service.</emphasis>
+              </entry>
+            </row>
+            <row>
+              <entry>initialContextFactory</entry>
+              <entry>"org.apache.directory.server.core.jndi.CoreContextFactory"</entry>
+              <entry>The JNDI initial context factory to use.</entry>
+            </row>
+            <row>
+              <entry>securityAuthentication</entry>
+              <entry>"simple"</entry>
+              <entry>The authentication mechanism to use for establishing a JNDI context.</entry>
+            </row>
+            <row>
+              <entry>securityPrincipal</entry>
+              <entry>"uid=admin,ou=system"</entry>
+              <entry>The principal to use for establishing a JNDI context.</entry>
+            </row>
+            <row>
+              <entry>securityCredentials</entry>
+              <entry>secret</entry>
+              <entry>The credentials to use for establishing a JNDI context.</entry>
+            </row>
+            <row>
+              <entry>serviceName</entry>
+              <entry>Apache LDAP Service</entry>
+              <entry>The friendly name of this service.</entry>
+            </row>
+            <row>
+              <entry>servicePid</entry>
+              <entry>org.apache.directory.server.ldap</entry>
+              <entry>The PID for this service. A PID is a unique identifier for an instance of a service. PID's are used
+                by OSGi's Config Admin service to dynamically inject configuration into a service when the service is
+                started.</entry>
+            </row>
+            <row>
+              <entry>catalogBaseDn</entry>
+              <entry>No default.</entry>
+              <entry>
+                The single location where catalog entries are stored. A catalog entry is a mapping of a realm (or zone
+                for DNS) to a search base DN. If this property is not set the store will expect a single search base DN
+                to be set.
+                <emphasis
+                  role="bold">Catalog support is highly experimental and is only tested in the OSGi build of ApacheDS using the
+                  Config Admin service.</emphasis>
+              </entry>
+            </row>
+          </tbody>
+        </tgroup>
+      </table>
+    </section>
+    <section
+      id="LDAP-Specific Configuration Parameters">
+      <title>LDAP-Specific Configuration Parameters</title>
+      <table
+        id="LDAP-Specific Configuration Parameters table">
+        <title>LDAP-Specific Configuration Parameters</title>
+        <tgroup
+          cols="3">
+          <thead>
+            <row>
+              <entry>Parameter</entry>
+              <entry>Default value</entry>
+              <entry>Description</entry>
+            </row>
+          </thead>
+          <tbody>
+            <row>
+              <entry>allowAnonymousAccess</entry>
+              <entry>true</entry>
+              <entry>Whether to allow anonymous access.</entry>
+            </row>
+            <row>
+              <entry>maxSizeLimit</entry>
+              <entry>100</entry>
+              <entry>The maximum size limit.</entry>
+            </row>
+            <row>
+              <entry>maxTimeLimit</entry>
+              <entry>10000</entry>
+              <entry>The maximum time limit.</entry>
+            </row>
+            <row>
+              <entry>enableLdaps</entry>
+              <entry>false</entry>
+              <entry>Whether LDAPS is enabled.</entry>
+            </row>
+            <row>
+              <entry>ldapsCertificateFile</entry>
+              <entry>server-work/certificates/server.cert</entry>
+              <entry>The path to the certificate file.</entry>
+            </row>
+            <row>
+              <entry>ldapsCertificatePassword</entry>
+              <entry>changeit</entry>
+              <entry>The certificate password.</entry>
+            </row>
+            <row>
+              <entry>extendedOperationHandlers</entry>
+              <entry>No default.</entry>
+              <entry>The extended operation handlers.</entry>
+            </row>
+            <row>
+              <entry>supportedMechanisms</entry>
+              <entry>SIMPLE, CRAM-MD5, DIGEST-MD5, GSSAPI</entry>
+              <entry>The supported authentication mechanisms.</entry>
+            </row>
+            <row>
+              <entry>saslHost</entry>
+              <entry>ldap.example.com</entry>
+              <entry>The name of this host, validated during SASL negotiation.</entry>
+            </row>
+            <row>
+              <entry>saslPrincipal</entry>
+              <entry>ldap/ldap.example.com@EXAMPLE.COM</entry>
+              <entry>The service principal, used by GSSAPI.</entry>
+            </row>
+            <row>
+              <entry>saslQop</entry>
+              <entry>auth, auth-int, auth-conf</entry>
+              <entry>The quality of protection (QoP), used by DIGEST-MD5 and GSSAPI.</entry>
+            </row>
+            <row>
+              <entry>saslRealms</entry>
+              <entry>example.com</entry>
+              <entry>The list of realms serviced by this host.</entry>
+            </row>
+          </tbody>
+        </tgroup>
+      </table>
+    </section>
+    <section
+      id="More Information">
+      <title>More Information</title>
+      <para>
+        For help with more advanced configurations, check out our
+        <link
+          xlink:href="http://cwiki.apache.org/confluence/pages/viewpage.action?spaceKey=DIRxSRVx10&amp;title=Interoperability">Interoperability Guide</link>
+        .
+      </para>
+    </section>
+  </section>
+  <section
+    id="Kerberos Protocol Provider">
+    <title>Kerberos Protocol Provider</title>
+    <important>
+      <title>Work in progress</title>
+      <para>This site is in the process of being reviewed and updated.</para>
+    </important>
+    <itemizedlist>
+      <listitem>
+        <xref
+          linkend="Kerberos Protocol Configuration  " />
+      </listitem>
+      <listitem>
+        <xref
+          linkend="Kerberos and Unlimited Strength Policy" />
+      </listitem>
+      <listitem>
+        <xref
+          linkend="Kerberos in ApacheDS 1.5.5" />
+      </listitem>
+    </itemizedlist>
+    <section
+      id="Introduction Kerberos Protocol Provider">
+      <title>Introduction</title>
+      <para>
+        The Kerberos provider for Apache Directory implements
+        <link
+          xlink:href="http://www.ietf.org/rfc/rfc1510.txt">RFC 1510</link>
+        , the Kerberos V5 Network Authentication
+        Service. The purpose of Kerberos is to verify the identities of
+        principals (users or services) on an unprotected
+        network. While generally thought of as a single-sign-on
+        technology, Kerberos' true strength is in authenticating
+        users without ever sending their password over the
+        network. Kerberos is designed for use on open (untrusted)
+        networks and, therefore, operates under the assumption
+        that packets traveling along the network can be read,
+        modified, and inserted at will.
+        <link
+          xlink:href="http://www.computerworld.com/computerworld/records/images/pdf/kerberos_chart.pdf">This chart</link>
+        provides a good
+        description of the protocol workflow.
+      </para>
+      <para>Kerberos is named for the three-headed dog that guards the gates to Hades. The three heads are the client,
+        the Kerberos server, and the network service being accessed.</para>
+      <para>The Apache Directory Kerberos provider is implemented as a protocol-provider plugin. As a plugin, the
+        Kerberos provider leverages Apache Directory's MINA for front-end services and the Apache Directory
+        read-optimized backing store via JNDI for persistent directory services.</para>
+      <para>The Kerberos provider for Apache Directory, in conjunction with MINA and the Apache Directory store,
+        provides an easy-to-use yet fully-featured network authentication service. As implemented within the Apache
+        Directory, the Kerberos provder will provide:</para>
+      <itemizedlist>
+        <listitem>
+          <para>Authentication service (RFC 1510)</para>
+        </listitem>
+        <listitem>
+          <para>Ticket-granting service (RFC 1510)</para>
+        </listitem>
+        <listitem>
+          <para>Pre-authentication support (RFC 1510)</para>
+        </listitem>
+        <listitem>
+          <para>DES encryption systems (RFC 1510)</para>
+        </listitem>
+        <listitem>
+          <para>Triple-DES (DES3) encryption systems</para>
+        </listitem>
+        <listitem>
+          <para>UDP and TCP Support (MINA)</para>
+        </listitem>
+        <listitem>
+          <para>Easy POJO embeddability for containers such as Geronimo, JBoss, and OSGi</para>
+        </listitem>
+      </itemizedlist>
+    </section>
+    <section
+      id="More Information Kerberos Protocol Provider">
+      <title>More Information</title>
+      <para>
+        For help with Kerberos client configurations, check out our
+        <link
+          xlink:href="http://cwiki.apache.org/DIRxINTEROP">Interoperability Guide</link>
+        .
+      </para>
+    </section>
+    <section
+      id="Resources Kerberos Protocol Provider">
+      <title>Resources</title>
+      <section
+        id="Kerberos Articles">
+        <title>Kerberos Articles</title>
+        <itemizedlist>
+          <listitem>
+            <para>
+              <link
+                xlink:href="http://www.linuxjournal.com/article/7336">Centralized Authentication with Kerberos 5, Part I</link>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <link
+                xlink:href="http://www.linuxjournal.com/article/7334">Centralized Authorization Using a Directory Service, Part II</link>
+            </para>
+          </listitem>
+        </itemizedlist>
+      </section>
+      <section
+        id="Microsoft Interoperability">
+        <title>Microsoft Interoperability</title>
+        <itemizedlist>
+          <listitem>
+            <para>
+              <link
+                xlink:href="http://msdn.microsoft.com/library/default.asp?url=%2Flibrary%2Fen-us%2Fdnsecure%2Fhtml%2Fhttp-sso-2.asp">HTTP-Based Cross-Platform Authentication via the Negotiate Protocol</link>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <link
+                xlink:href="RFC 2478 - The Simple and Protected GSS-API Negotiation Mechanism">RFC 2478 - The Simple and Protected GSS-API Negotiation Mechanism</link>
+            </para>
+          </listitem>
+        </itemizedlist>
+      </section>
+      <section
+        id="Standards">
+        <title>Standards</title>
+        <itemizedlist>
+          <listitem>
+            <para>
+              <link
+                xlink:href="http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-crypto-07.txt">Encryption and Checksum Specifications for Kerberos 5</link>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <link
+                xlink:href="http://mirrors.isc.org/pub/www.watersprings.org/pub/id/draft-ietf-cat-kerb-key-derivation-00.txt">Key Derivation for Kerberos V5</link>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <link
+                xlink:href="http://mirrors.isc.org/pub/www.watersprings.org/pub/id/draft-horowitz-key-derivation-00.txt">Key Derivation for Authentication, Integrity, and Privacy</link>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <link
+                xlink:href="http://www.faqs.org/rfcs/rfc1510.html">RFC 1510 - The Kerberos Network Authentication Service (V5)</link>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <link
+                xlink:href="http://www.faqs.org/rfcs/rfc1964.html">RFC 1964 - The Kerberos Version 5 GSS-API Mechanism</link>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <link
+                xlink:href="http://www-106.ibm.com/developerworks/java/library/j-gss-sso/">Simplify enterprise Java authentication with single sign-on</link>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <link
+                xlink:href="http://www-106.ibm.com/developerworks/wireless/library/wi-kerberos/">Lock down J2ME applications with Kerberos, Part 1: Introducing Kerberos data formats</link>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <link
+                xlink:href="http://www-106.ibm.com/developerworks/wireless/library/wi-kerberos2.html">Lock down J2ME applications with Kerberos, Part 2: Authoring a request for a Kerberos ticket
+              </link>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <link
+                xlink:href="http://www-106.ibm.com/developerworks/wireless/library/wi-kerberos3/">Lock down J2ME applications with Kerberos, Part 3: Establish secure communication with an
+                e-bank</link>
+            </para>
+          </listitem>
+        </itemizedlist>
+      </section>
+    </section>
+    <section
+      id="Kerberos Protocol Configuration">
+      <title>Kerberos Protocol Configuration</title>
+      <important>
+        <title>Work in progress</title>
+        <para>This site is in the process of being reviewed and updated.</para>
+      </important>
+      <section
+        id="Before Kerberos Protocol Configuration">
+        <title>Before</title>
+        <para>Previously, Kerberos protocol configuration existed in a PropertiesFactoryBean, along with JNDI
+          environment properties.</para>
+        <programlisting><![CDATA[
+<bean id="environment" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
+  <property name="properties">
+    <props>
+      <prop key="java.naming.security.authentication">simple</prop>
+      <prop key="java.naming.security.principal">uid=admin,ou=system</prop>
+      <prop key="java.naming.security.credentials">secret</prop>
+      <prop key="kdc.entryBaseDn">ou=users,dc=example,dc=com</prop>
+      <prop key="kdc.java.naming.security.credentials">secret</prop>
+    </props>
+  </property>
+</bean>
+      ]]></programlisting>
+      </section>
+      <section
+        id="After Kerberos Protocol Configuration">
+        <title>After</title>
+        <para>At the same time as the addition of numerous configuration parameters for SASL to the LDAP protocol,
+          Kerberos configuration has all moved to a KdcConfiguration bean.</para>
+        <programlisting><![CDATA[
+<bean id="kdcConfiguration" class="org.apache.directory.server.kerberos.kdc.KdcConfiguration">
+  <!-- The port to run the Kerberos protocol on.                          -->
+  <property name="ipPort" value="88" />
+</bean>
+      ]]></programlisting>
+        <para>The KdcConfiguration bean is subordinate to the MutableServerStartupConfiguration.</para>
+        <programlisting><![CDATA[
+<bean id="configuration" class="org.apache.directory.server.configuration.MutableServerStartupConfiguration">
+  ...
+  <property name="kdcConfiguration" ref="kdcConfiguration" />
+  ...
+</bean>
+      ]]></programlisting>
+      </section>
+      <section
+        id="Common Service Configuration Parameters Kerberos Protocol Configuration">
+        <title>Common Service Configuration Parameters</title>
+        <table
+          id="table Common Service Configuration Parameters Kerberos Protocol Configuration">
+          <title>Common Service Configuration Parameters</title>
+          <tgroup
+            cols="3">
+            <thead>
+              <row>
+                <entry>Parameter</entry>
+                <entry>Default value</entry>
+                <entry>Description</entry>
+              </row>
+            </thead>
+            <tbody>
+              <row>
+                <entry>enabled</entry>
+                <entry>false</entry>
+                <entry>Whether this service is enabled.</entry>
+              </row>
+              <row>
+                <entry>ipPort</entry>
+                <entry>88</entry>
+                <entry>The IP port for this service.</entry>
+              </row>
+              <row>
+                <entry>ipAddress</entry>
+                <entry>No default.</entry>
+                <entry>The IP address for this service.</entry>
+              </row>
+              <row>
+                <entry>searchBaseDn</entry>
+                <entry>"ou=users,dc=example,dc=com"</entry>
+                <entry>
+                  The single location where principals are stored. If this property is not set the store will search the
+                  system partition configuration for catalog entries.
+                  <emphasis
+                    role="bold">Catalog support is highly experimental and is only tested in the OSGi build of ApacheDS using
+                    the Config Admin service.</emphasis>
+                </entry>
+              </row>
+              <row>
+                <entry>initialContextFactory</entry>
+                <entry>"org.apache.directory.server.core.jndi.CoreContextFactory"</entry>
+                <entry>The JNDI initial context factory to use.</entry>
+              </row>
+              <row>
+                <entry>securityAuthentication</entry>
+                <entry>"simple"</entry>
+                <entry>The authentication mechanism to use for establishing a JNDI context.</entry>
+              </row>
+              <row>
+                <entry>securityPrincipal</entry>
+                <entry>"uid=admin,ou=system"</entry>
+                <entry>The principal to use for establishing a JNDI context.</entry>
+              </row>
+              <row>
+                <entry>securityCredentials</entry>
+                <entry>"secret"</entry>
+                <entry>The credentials to use for establishing a JNDI context.</entry>
+              </row>
+              <row>
+                <entry>serviceName</entry>
+                <entry>Apache Kerberos Service</entry>
+                <entry>The friendly name of this service.</entry>
+              </row>
+              <row>
+                <entry>servicePid</entry>
+                <entry>org.apache.kerberos</entry>
+                <entry>The PID for this service. A PID is a unique identifier for an instance of a service. PID's are
+                  used by OSGi's Config Admin service to dynamically inject configuration into a service when the
+                  service is started.</entry>
+              </row>
+              <row>
+                <entry>catalogBaseDn</entry>
+                <entry>No default.</entry>
+                <entry>
+                  The single location where catalog entries are stored. A catalog entry is a mapping of a realm (or zone
+                  for DNS) to a search base DN. If this property is not set the store will expect a single search base
+                  DN to be set.
+                  <emphasis
+                    role="bold">Catalog support is highly experimental and is only tested in the OSGi build of ApacheDS using
+                    the Config Admin service.</emphasis>
+                </entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </table>
+      </section>
+      <section
+        id="Kerberos-Specific Configuration Parameters Kerberos Protocol Configuration">
+        <title>Kerberos-Specific Configuration Parameters</title>
+        <table
+          id="table Kerberos Protocol Configuration Kerberos-Specific Configuration Parameters">
+          <title>Kerberos-Specific Configuration Parameters</title>
+          <tgroup
+            cols="3">
+            <thead>
+              <row>
+                <entry>Parameter</entry>
+                <entry>Default value</entry>
+                <entry>Description</entry>
+              </row>
+            </thead>
+            <tbody>
+              <row>
+                <entry>encryptionTypes</entry>
+                <entry>des-cbc-md5</entry>
+                <entry>The encryption types.</entry>
+              </row>
+              <row>
+                <entry>primaryRealm</entry>
+                <entry>EXAMPLE.COM</entry>
+                <entry>The primary realm.</entry>
+              </row>
+              <row>
+                <entry>servicePrincipal</entry>
+                <entry>krbtgt/EXAMPLE.COM@EXAMPLE.COM</entry>
+                <entry>The service principal name.</entry>
+              </row>
+              <row>
+                <entry>allowableClockSkew</entry>
+                <entry>5 minutes</entry>
+                <entry>The allowable clock skew.</entry>
+              </row>
+              <row>
+                <entry>paEncTimestampRequired</entry>
+                <entry>true</entry>
+                <entry>Whether pre-authentication by encrypted timestamp is required.</entry>
+              </row>
+              <row>
+                <entry>maximumTicketLifetime</entry>
+                <entry>1440 (24 hours)</entry>
+                <entry>The maximum ticket lifetime.</entry>
+              </row>
+              <row>
+                <entry>maximumRenewableLifetime</entry>
+                <entry>10080 (1 week)</entry>
+                <entry>The maximum renewable lifetime.</entry>
+              </row>
+              <row>
+                <entry>emptyAddressesAllowed</entry>
+                <entry>true</entry>
+                <entry>Whether ticket issuance for empty Host Addresses is allowed.</entry>
+              </row>
+              <row>
+                <entry>forwardableAllowed</entry>
+                <entry>true</entry>
+                <entry>Whether forwardable tickets are allowed.</entry>
+              </row>
+              <row>
+                <entry>proxiableAllowed</entry>
+                <entry>true</entry>
+                <entry>Whether proxiable tickets are allowed.</entry>
+              </row>
+              <row>
+                <entry>postdateAllowed</entry>
+                <entry>true</entry>
+                <entry>Whether postdated tickets are allowed.</entry>
+              </row>
+              <row>
+                <entry>renewableAllowed</entry>
+                <entry>true</entry>
+                <entry>Whether renewable tickets are allowed.</entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </table>
+      </section>
+      <section
+        id="More Information Kerberos Protocol Configuration">
+        <title>More Information</title>
+        <para>
+          For help with more advanced configurations, check out our
+          <link
+            xlink:href="http://cwiki.apache.org/DIRxINTEROP">Interoperability Guide</link>
+          .
+        </para>
+      </section>
+    </section>
+    <section
+      id="Kerberos and Unlimited Strength Policy">
+      <title>Kerberos and Unlimited Strength Policy</title>
+      <important>
+        <title>Work in progress</title>
+        <para>This site is in the process of being reviewed and updated.</para>
+      </important>
+      <section
+        id="Introduction Kerberos and Unlimited Strength Policy">
+        <title>Introduction</title>
+        <para>Due to export control restrictions, JDK 5.0 environments do not ship with support for AES-256 enabled.
+          Kerberos uses AES-256 in the 'aes256-cts-hmac-sha1-96' encryption type. To enable AES-256, you must download
+          "unlimited strength" policy JAR files for your JRE. Policy JAR files are signed by the JRE vendor so you
+          must
+          download policy JAR files for Sun, IBM, etc. separately. Also, policy files may be different for each
+          platform, such as i386, Solaris, or HP.</para>
+      </section>
+      <section
+        id="Installation Kerberos and Unlimited Strength Policy">
+        <title>Installation</title>
+        <orderedlist>
+          <listitem>
+            <para>
+              Download the unlimited strength policy JAR files.
+              <table
+                id="table Download the unlimited strength policy JAR files">
+                <title>Download the unlimited strength policy JAR files</title>
+                <tgroup
+                  cols="3">
+                  <thead>
+                    <row>
+                      <entry>Vendor</entry>
+                      <entry>Link</entry>
+                      <entry>Details</entry>
+                    </row>
+                  </thead>
+                  <tbody>
+                    <row>
+                      <entry>IBM</entry>
+                      <entry>
+                        <link
+                          xlink:href="http://www.ibm.com/developerworks/java/jdk/security/50/">IBM Security information</link>
+                      </entry>
+                      <entry>Scroll down to "IBM SDK Policy files." The same files are used for the Version 1.4 and
+                        Version 5 SDKs.</entry>
+                    </row>
+                    <row>
+                      <entry>Sun</entry>
+                      <entry>
+                        <link
+                          xlink:href="http://java.sun.com/javase/downloads/index_jdk5.jsp">Java SE Downloads - Previous Release - JDK 5</link>
+                      </entry>
+                      <entry>Scroll down to "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy
+                        Files 5.0" under "Other Downloads"</entry>
+                    </row>
+                  </tbody>
+                </tgroup>
+              </table>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              Extract the unlimited strength policy JAR files.
+              <table
+                id="table Extract the unlimited strength policy JAR files">
+                <title>Extract the unlimited strength policy JAR files</title>
+                <tgroup
+                  cols="2">
+                  <thead>
+                    <row>
+                      <entry>File</entry>
+                      <entry>Description</entry>
+                    </row>
+                  </thead>
+                  <tbody>
+                    <row>
+                      <entry>local_policy.jar</entry>
+                      <entry>Unlimited strength local policy file</entry>
+                    </row>
+                    <row>
+                      <entry>US_export_policy.jar</entry>
+                      <entry>Unlimited strength US export policy file</entry>
+                    </row>
+                  </tbody>
+                </tgroup>
+              </table>
+            </para>
+          </listitem>
+          <listitem>
+            <para>Install
+              the unlimited strength policy JAR files by copying them to the standard location.
+              &lt;jre-home&gt; refers
+              to the directory where the J2SE Runtime Environment (JRE) was installed. Adjust
+              pathname separators for
+              your environment.
+              <table
+                id="table Install the unlimited strength policy JAR files">
+                <title>Install the unlimited strength policy JAR files</title>
+                <tgroup
+                  cols="2">
+                  <thead>
+                    <row>
+                      <entry>Standard Location</entry>
+                      <entry>Platform</entry>
+                    </row>
+                  </thead>
+                  <tbody>
+                    <row>
+                      <entry>&lt;jre-home&gt;/lib/security</entry>
+                      <entry>Solaris</entry>
+                    </row>
+                    <row>
+                      <entry>&lt;jre-home&gt;\lib\security</entry>
+                      <entry>Win32</entry>
+                    </row>
+                  </tbody>
+                </tgroup>
+              </table>
+            </para>
+          </listitem>
+          <listitem>
+            <para>Optionally, create subfolders in &lt;jre-home&gt;/lib/security, named, for example, "limited" and
+              "unlimited" so you can switch between policy files easily, by copying the policy JAR files from one of
+              the
+              subfolders to the &lt;jre-home&gt;/lib/security directory.</para>
+          </listitem>
+        </orderedlist>
+      </section>
+    </section>
+    <section
+      id="Kerberos in ApacheDS 1.5.5">
+      <title>Kerberos in ApacheDS 1.5.5</title>
+      <tip>
+        <title>ApacheDS 1.5.5</title>
+        <para>This site was updated for ApacheDS 1.5.5.</para>
+      </tip>
+      <section
+        id="Overview Kerberos in ApacheDS 1.5.5">
+        <title>Overview</title>
+        <para>This page shows how to activate and setup the KDC server of ApacheDS 1.5.5 (build from trunk
+          2009-08-04).
+          This is a very simple setup (host: localhost, realm: EXAMPLE.COM). Need to check the setup for
+          other hosts and
+          realms...</para>
+      </section>
+      <section
+        id="Activate Kerberos Kerberos in ApacheDS 1.5.5">
+        <title>Activate Kerberos</title>
+        <para>Acivate the keyDerivationInterceptor and the kdcServer. Also set saslHost and saslPrincipal to
+          localhost.
+          Add entries for users not before you have activated those elements, otherwise the krb5Key won't
+          be created!
+        </para>
+        <para>
+          server.xml
+          <programlisting><![CDATA[
+<spring:beans ...>
+  <defaultDirectoryService ...>
+    ...
+    <interceptors>
+      ...
+      <keyDerivationInterceptor/>
+      ...
+    </interceptors>
+  </defaultDirectoryService>
+   ...
+
+  <!-- 
+  +============================================================+
+  | Kerberos server configuration                              |
+  +============================================================+
+  -->
+  <kdcServer id="kdcServer" searchBaseDn="ou=Users,dc=example,dc=com">
+    <transports>
+      <tcpTransport port="60088" nbThreads="4" backLog="50"/>
+      <udpTransport port="60088" nbThreads="4" backLog="50"/>
+    </transports>
+    <directoryService>#directoryService</directoryService>
+  </kdcServer>
+
+  ...
+
+  <ldapServer ...
+            saslHost="localhost"
+            saslPrincipal="ldap/localhost@EXAMPLE.COM"
+            searchBaseDn="ou=users,dc=example,dc=com"
+            ...>
+  ...
+
+</spring:beans>
+            ]]></programlisting>
+        </para>
+        <para>
+          Here is a complete server.xml:
+          <link
+            xlink:href="data/server.xml">server.xml</link>
+        </para>
+      </section>
+      <section
+        id="Optional: Logging">
+        <title>Optional: Logging</title>
+        <para>
+          Configure debug level logging in log4j.properties:
+          <programlisting><![CDATA[
+log4j.logger.org.apache.directory.server.kerberos=DEBUG
+        ]]></programlisting>
+        </para>
+      </section>
+      <section
+        id="Restart the Server Kerberos in ApacheDS 1.5.5">
+        <title>Restart the Server</title>
+        <para>
+          Restart the server, you should see the following output:
+          <programlisting><![CDATA[
+Starting the Kerberos server
+           _                     _          _  __ ____   ___    
+          / \   _ __    ___  ___| |__   ___| |/ /|  _ \ / __|   
+         / _ \ | '_ \ / _` |/ __| '_ \ / _ \ ' / | | | / /      
+        / ___ \| |_) | (_| | (__| | | |  __/ . \ | |_| \ \__    
+       /_/   \_\ .__/ \__,_|\___|_| |_|\___|_|\_\|____/ \___|   
+               |_|                                              
+
+[19:28:03] INFO [org.apache.directory.server.kerberos.kdc.KdcServer] - Kerberos service started.
+Kerberos service started.
+Kerberos server started
+        ]]></programlisting>
+        </para>
+      </section>
+      <section
+        id="Load User Data Kerberos in ApacheDS 1.5.5">
+        <title>Load User Data</title>
+        <para>
+          Load the following data into the server, e.g. using Apache Directory Studio:
+          <link
+            xlink:href="data/kdc-data.ldif">kdc-data.ldif</link>
+        </para>
+        <para>Note: The activated keyDerivationInterceptor automatically creates the krb5Key attributes:</para>
+        <figure
+          id="The activated keyDerivationInterceptor automatically creates the krb5Key attributes figure">
+          <title>The activated keyDerivationInterceptor automatically creates the krb5Key attributes</title>
+          <mediaobject>
+            <imageobject>
+              <imagedata
+                fileref="images/kdc1.png" />
+            </imageobject>
+          </mediaobject>
+        </figure>
+      </section>
+      <section
+        id="Authenticate using kinit (Unix/Linux)">
+        <title>Authenticate using kinit (Unix/Linux)</title>
+        <para>Make sure kinit is installed.</para>
+        <para>A minimal /etc/krb5.conf file looks as follows (make sure the port matches!):</para>
+        <programlisting><![CDATA[
+[libdefaults]
+        default_realm = EXAMPLE.COM
+
+[realms]
+        EXAMPLE.COM = {
+                kdc = localhost:60088
+        }
+
+[domain_realm]
+        .example.com = EXAMPLE.COM
+        example.com = EXAMPLE.COM
+
+[login]
+        krb4_convert = true
+        krb4_get_tickets = false
+          ]]></programlisting>
+        <para>Then try to authenticate, password is 'secret':</para>
+        <screen><![CDATA[
+stefan@r61:~$ kinit hnelson@EXAMPLE.COM
+Password for hnelson@EXAMPLE.COM:
+
+stefan@r61:~$ klist
+Ticket cache: FILE:/tmp/krb5cc_1000
+Default principal: hnelson@EXAMPLE.COM
+
+Valid starting     Expires            Service principal
+08/04/09 19:54:22  08/05/09 19:54:21  krbtgt/EXAMPLE.COM@EXAMPLE.COM
+
+
+Kerberos 4 ticket cache: /tmp/tkt1000
+klist: You have no tickets cached
+          ]]></screen>
+      </section>
+      <section
+        id="Authenticate using Apache Directory Studio">
+        <title>Authenticate using Apache Directory Studio</title>
+        <para>You can also configure Apache Directory Studio to use Kerberos (GSSAPI) for authentication. If you use
+          the
+          following authentication parameters you don't need to configure any Kerberos settings in your native
+          operating
+          system.</para>
+        <figure
+          id="Authenticate using Apache Directory Studio figure">
+          <title>Authenticate using Apache Directory Studio</title>
+          <mediaobject>
+            <imageobject>
+              <imagedata
+                fileref="images/kdc2.png" />
+            </imageobject>
+          </mediaobject>
+        </figure>
+      </section>
+    </section>
+  </section>
+  <section
+    id="Change Password Protocol Provider">
+    <title>Change Password Protocol Provider</title>
+    <section
+      id="Introduction Change Password Protocol Provider">
+      <title>Introduction</title>
+      <para>
+        The Change Password service is a protocol provider that implements
+        <link
+          xlink:href="http://www.faqs.org/rfcs/rfc3244.html">RFC 3244</link>
+        to service Kerberos Change Password and Set Password Protocol requests. Change Password is a request-reply
+        protocol that uses Kerberos infrastructure to allow users to securely set initial passwords or to change
+        existing passwords. The Change Password protocol interoperates with the original Kerberos Change Password
+        protocol, while adding the ability for an administrator to set a password for a new user.
+      </para>
+      <para>The Change Password service is implemented as a protocol-provider plugin for the Apache Directory server. As
+        a plugin, Change Password leverages Apache MINA for front-end services and the Apache Directory read-optimized
+        backing store via JNDI for persistent directory services.</para>
+      <para>Change Password, in conjunction with MINA and the Apache Directory, provides an easy-to-use yet
+        fully-featured password service. As implemented within the Apache Directory, Change Password will provide:
+      </para>
+      <itemizedlist>
+        <listitem>
+          <para>Original Kerberos password changing service</para>
+        </listitem>
+        <listitem>
+          <para>Initial password setting service (RFC 3244)</para>
+        </listitem>
+        <listitem>
+          <para>Optional LDAP management</para>
+        </listitem>
+        <listitem>
+          <para>UDP and TCP Support (MINA)</para>
+        </listitem>
+        <listitem>
+          <para>Easy POJO embeddability for containers such as Geronimo, JBoss, and OSGi</para>
+        </listitem>
+      </itemizedlist>
+    </section>
+    <section
+      id="Changing Passwords with Windows 2003">
+      <title>Changing Passwords with Windows 2003</title>
+      <section
+        id="Configure the Windows 2003 workstation to use an Apache Change Password server">
+        <title>Configure the Windows 2003 workstation to use an Apache Change Password server</title>
+        <screen><![CDATA[
+C:> Ksetup /addkpasswd REALM.EXAMPLE.COM kdc.realm.example.com
+    ]]></screen>
+      </section>
+      <section
+        id="Change a password using Windows Security">
+        <title>Change a password using Windows Security</title>
+        <orderedlist>
+          <listitem>
+            <para>
+              After logging on, press CTRL+ALT+DEL.
+              <figure
+                id="Windows Security figure">
+                <title>Windows Security</title>
+                <mediaobject>
+                  <imageobject>
+                    <imagedata
+                      fileref="images/security.jpg" />
+                  </imageobject>
+                </mediaobject>
+              </figure>
+            </para>
+          </listitem>
+          <listitem>
+            <para>Click on the button labeled "Change Password ..."</para>
+          </listitem>
+          <listitem>
+            <para>
+              Enter the Old Password and New Password (twice) and click OK.
+              <figure
+                id="Windows Change Password figure">
+                <title>Windows Change Password</title>
+                <mediaobject>
+                  <imageobject>
+                    <imagedata
+                      fileref="images/changepw.jpg" />
+                  </imageobject>
+                </mediaobject>
+              </figure>
+            </para>
+          </listitem>
+        </orderedlist>
+      </section>
+      <section

[... 856 lines stripped ...]


Mime
View raw message