directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r850090 - in /websites/staging/directory/trunk/content: ./ apacheds/kerberos-ug/1.1-introduction.html apacheds/kerberos-ug/1.1.5-database.html
Date Sun, 10 Feb 2013 03:11:40 GMT
Author: buildbot
Date: Sun Feb 10 03:11:39 2013
New Revision: 850090

Log:
Staging update by buildbot for directory

Added:
    websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.5-database.html
Modified:
    websites/staging/directory/trunk/content/   (props changed)
    websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1-introduction.html

Propchange: websites/staging/directory/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Sun Feb 10 03:11:39 2013
@@ -1 +1 @@
-1444345
+1444475

Modified: websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1-introduction.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1-introduction.html (original)
+++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1-introduction.html Sun
Feb 10 03:11:39 2013
@@ -153,6 +153,14 @@
 <p>We also have a complete configuration GUI in Studio, which allows administrators
to tweak their server in a convenient way.</p>
 <p>The Kerberos provider for Apache Directory implements RFC 1510 and RFC 4120 , the
Kerberos V5 Network Authentication Service. The purpose of Kerberos is to verify the identities
of principals (users or services) on an unprotected network. While generally thought of as
a single-sign-on technology, Kerberos' true strength is in authenticating users without ever
sending their password over the network. Kerberos is designed for use on open (untrusted)
networks and, therefore, operates under the assumption that packets traveling along the network
can be read, modified, and inserted at will. This chart provides a good description of the
protocol workflow.</p>
 <p>Kerberos is named for the three-headed dog that guards the gates to Hades. The three
heads are the client, the Kerberos server, and the network service being accessed.</p>
+<h2 id="what-is-it-all-about">What is it all about ?</h2>
+<p>The isea is to have a server being able to deliver a user some tickets that can
be used by services. Those tickets are trusted for a certain period of time. The most important
point is that the service does not have to ask any server to validate those tickets : they
are trusted because they have been generated by a trusted server.</p>
+<p>This is a two rounds process :
+1 - The client request a Ticket to the Kerberos server
+2 - The client submit the ticket to the requested service</p>
+<p>The the client is authenticated.</p>
+<p>In any case, there is no way to fake an identity or to forge a ticket that can be
used, nor one can reuse a Ticket that has already been used.</p>
+<h2 id="apache-kerberos-server">Apache Kerberos Server</h2>
 <p>The Apache Directory Kerberos provider is implemented as a protocol-provider plugin.
As a plugin, the Kerberos provider leverages <strong>Apache MINA</strong> for
front-end services and the <strong>Apache Directory</strong> read-optimized backing
store for persistent directory services.</p>
 <p>The Kerberos server for Apache Directory, in conjunction with MINA and the Apache
Directory store, provides an easy-to-use yet fully-featured network authentication service.
As implemented within the Apache Directory, the Kerberos provder will provide:</p>
 <ul>

Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.5-database.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.5-database.html (added)
+++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.5-database.html Sun
Feb 10 03:11:39 2013
@@ -0,0 +1,263 @@
+<!DOCTYPE html>
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<html>
+	<head>
+		<title>1.1.5 - Database &mdash; Apache Directory</title>
+		
+        <link href="./../../css/common.css" rel="stylesheet" type="text/css">
+    	<link href="./../../css/green.css" rel="stylesheet" type="text/css">
+    
+        
+        <link rel="shortcut icon" href="./../../images/server-icon_16x16.png">
+    
+        <!-- Google Analytics -->
+        <script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
+        <script type="text/javascript">
+            _uacct = "UA-1358462-1";
+            urchinTracker();
+        </script>
+	</head>
+	<body>
+	    <div id="container">
+            <div id="header">
+                <div id="subProjectsNavBar">
+                    <a href="./../../">
+                        
+                        Apache Directory Project
+                        
+                    </a>
+                    &nbsp;|&nbsp;
+                    <a href="./../../apacheds">
+                        
+                        <STRONG>ApacheDS</STRONG>
+                        
+                    </a>
+                    &nbsp;|&nbsp;
+                    <a href="./../../studio">
+                        
+                        Apache Directory Studio
+                        
+                    </a>
+                    &nbsp;|&nbsp;
+                    <a href="./../../api">
+                        
+                        Apache LDAP API
+                        
+                    </a>
+                </div><!-- subProjectsNavBar -->
+            </div><!-- header -->
+            <div id="content">
+                <div id="leftColumn">
+                    
+<div id="navigation">
+    
+    <h5>ApacheDS 2.0</h5>
+    <ul>
+        <li><a href="./../../apacheds/">Home</a></li>
+        <li><a href="./../../apacheds/features.html">Features</a></li>
+    </ul>
+    <h5>Downloads</h5>
+    <ul>
+        <li><a href="./../../apacheds/downloads.html">ApacheDS 2.0.0-M10</a>&nbsp;&nbsp;<img
src="./../../images/new_badge.gif" alt="" style="margin-bottom:-3px;" border="0"></li>
+        <li><a href="./../../apacheds/download-old-versions.html">Older versions</a></li>
+    </ul>
+    <h5>Documentation</h5>
+    <ul>
+        <li><a href="./../../apacheds/basic-user-guide.html">Basic User Guide
</a></li>
+        <li><a href="./../../apacheds/advanced-user-guide.html">Advanced User
Guide</a></li>
+        <li><a href="./../../apacheds/developer-guide.html">Developer Guide</a></li>
+        <li><a href="./../../apacheds/kerberos-user-guide.html">Kerberos User
Guide</a></li>
+        <li><a href="./../../apacheds/configuration/ads-2.0-configuration.html">Configuration</a></li>
+            <!--li><a href="./../../apacheds/gen-docs/latest">Generated Reports
(e.g. JavaDocs)</a></li-->
+    </ul>
+    
+    
+    <h5>Support</h5>
+    <ul>
+        <li><a href="./../../mailing-lists-and-irc.html">Mailing Lists &amp;
IRC</a></li>
+        <li><a href="./../../sources.html">Sources</a></li>
+        <li><a href="./../../issue-tracking.html">Issue Tracking</a></li>
+        <li><a href="./../../commercial-support.html">Commercial Support</a></li>
+    </ul>
+    <h5>Community</h5>
+    <ul>
+        <li><a href="./../../contribute.html">How to Contribute</a></li>
+        <li><a href="./../../team.html">Team</a></li>
+        <li><a href="./../../original-project-proposal.html">Original Project
Proposal</a></li>
+        <li><a href="./../../special-thanks.html" class="external-link" rel="nofollow">Special
Thanks</a></li>
+    </ul>
+    <h5>About Apache</h5>
+    <ul>
+        <li><a href="http://www.apache.org/">Apache</a></li>
+        <li><a href="http://www.apache.org/licenses/">License</a></li>
+        <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+        <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+        <li><a href="http://www.apache.org/security/">Security</a></li>
+    </ul>
+    <a href="http://acna13.eventbrite.com/?ref=ecount"><img src="http://holdenweb.com/static/images/BannerSquareSmall.png"
width="168" height="140"></a>
+    
+</div><!-- navigation -->
+
+                </div><!-- leftColumn -->
+                <div id="rightColumn">
+
+
+    <div class="nav">
+        <div class="nav_prev">
+        
+            <a href="1.1.4-kdc.html">1.1.4 - KDC (Key Distribution Center)</a>
+		
+        </div>
+        <div class="nav_up">
+        
+            <a href="1.1-introduction.html">1.1 - Introduction</a>
+		
+        </div>
+        <div class="nav_next">
+        
+            <a href="1.1.6-as.html">1.1.6 - AS (Authentication Server)</a>
+		
+        </div>
+        <div class="clearfix"></div>
+    </div>
+
+
+<h1 id="115-database">1.1.5 - Database</h1>
+<p>This is the place where all the private keys are stored. This is pretty natural
to store all those keys in a LDAP server, even more natural when the <strong>Kerberos</strong>
server is built as a part of an existing LDAP server, as for *<em>Apache Directory Server</em>
!</p>
+<p>When <strong>Apache Directory Server</strong> was started, it was also
thought as a repository for <strong>Kerberos</strong> keys, so we just had to
develop the logic to manage those keys, and the Kerberos protocol. </p>
+<p>In other words, you have everything embedded in a single server :
+<em> The LDAP server to store the keys and other related informations
+</em> The Kerberos protocol
+<em> The Authentication Server
+</em> The Ticket Granting Server</p>
+<h2 id="structure">Structure</h2>
+<p>There is an existing <strong>LDAP</strong> schema to manage the keys
and other informations, named <strong>krb5kdc</strong>. It contains 3 ObjectClasses
and 15 AttributeTypes.</p>
+<p>All the ObjectClasses are auxilliary.</p>
+<h3 id="krb5principal">krb5Principal</h3>
+<p>This ObjectClass is used to store a Principal. It contains one mandatory AttributeType,
<em>krb5PrincipalName</em>, and two optionnal (<em>cn</em> and <em>krb5PrincipalRealm</em>)</p>
+<h3 id="krb5realm">krb5Realm</h3>
+<p>This ObjectClass describes a Kerberos Realm. It just contains the Realm's name (<em>krb5RealName</em>
AttributeType).</p>
+<h2 id="krb5kdcentry">krb5kdcEntry</h2>
+<p>This ObjectClass is used to store all the information needed to manage a Kerberos
user or service. It has one mandatory AttributeType, <em>krb5KeyVersioNumber</em>,
which is set to 0 for newly crated users or services, and incremented after each modification
done on the password (which leads to the generation of new keys).</p>
+<p>Here is a list of optional AttributeTypes the entry can have :</p>
+<table>
+<thead>
+<tr>
+<th>AttributeType</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>krb5ValidStart</td>
+<td>The date at which the keys are valid</td>
+</tr>
+<tr>
+<td>krb5ValidEnd</td>
+<td>The date at which the keys aren't valid any more</td>
+</tr>
+<tr>
+<td>krb5PasswordEnd</td>
+<td>The end of password validity</td>
+</tr>
+<tr>
+<td>krb5MaxLife</td>
+<td>The maximum duration</td>
+</tr>
+<tr>
+<td>krb5MaxRenew</td>
+<td>Th maximum number of renew</td>
+</tr>
+<tr>
+<td>krb5KDCFlags</td>
+<td>The KDC flags</td>
+</tr>
+<tr>
+<td>krb5EncryptionType</td>
+<td>The EncryptionTypes</td>
+</tr>
+<tr>
+<td>krb5Key</td>
+<td>The generated keys</td>
+</tr>
+<tr>
+<td>krb5AccountDisabled</td>
+<td>The account has been disabled</td>
+</tr>
+<tr>
+<td>krb5AccountLockedOut</td>
+<td>The account has been locked out</td>
+</tr>
+<tr>
+<td>krb5AccountExpirationTime</td>
+<td>The account expiration time</td>
+</tr>
+</tbody>
+</table>
+<h2 id="sample">Sample</h2>
+<p>Here is a sample entry, which has the <em>Krb5KdcEntry</em> and  <em>Krb5Principal</em>
ObjectClasses set :</p>
+<div class="codehilite"><pre>dn: uid=hnelson,ou=users,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: krb5principal
+objectClass: krb5kdcentry
+objectClass: top
+uid: hnelson
+userPassword: secret
+krb5PrincipalName: hnelson@EXAMPLE.COM
+krb5KeyVersionNumber: 0
+cn: Horatio Nelson
+sn: Nelson
+krb5Key: &#39;0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20 0x3D 0x33 0x31 0x8F
0xBE ...&#39;
+krb5Key: &#39;0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0x57 0x07 0xCE 0x29
0x52 ...&#39;
+krb5Key: &#39;0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x87 0x8D 0x80 0x14
0x60 ...&#39;
+krb5Key: &#39;0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xF4 0xA7 0x13 0x64
0x8A ...&#39;
+krb5Key: &#39;0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0xAD 0x21 0x4B 0x38
0xB6 ...&#39;
+</pre></div>
+
+
+    <div class="nav">
+        <div class="nav_prev">
+        
+            <a href="1.1.4-kdc.html">1.1.4 - KDC (Key Distribution Center)</a>
+		
+        </div>
+        <div class="nav_up">
+        
+            <a href="1.1-introduction.html">1.1 - Introduction</a>
+		
+        </div>
+        <div class="nav_next">
+        
+            <a href="1.1.6-as.html">1.1.6 - AS (Authentication Server)</a>
+		
+        </div>
+        <div class="clearfix"></div>
+    </div>
+
+
+                </div><!-- rightColumn -->
+                <div id="endContent"></div>
+            </div><!-- content -->
+            <div id="footer">&copy; 2003-2012, <a href="http://www.apache.org">The
Apache Software Foundation</a> - <a href="./../../privacy-policy.html">Privacy
Policy</a><br />
+                Apache Directory, ApacheDS, Apache Directory Server, Apache Directory Studio,
Apache LDAP API, Apache Triplesec, Triplesec, Apache, the Apache feather logo, and the Apache
Directory project logos are trademarks of The Apache Software Foundation.
+            </div>
+        </div><!-- container -->
+    </body>
+</html>
\ No newline at end of file



Mime
View raw message