directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r850729 - in /websites/staging/directory/trunk/content: ./ apacheds/ apacheds/kerberos-ug/ apacheds/kerberos-ug/images/
Date Fri, 15 Feb 2013 18:05:57 GMT
Author: buildbot
Date: Fri Feb 15 18:05:56 2013
New Revision: 850729

Log:
Staging update by buildbot for directory

Added:
    websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/authent-hierarchy.graphml
  (with props)
    websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/authent-hierarchy.png
  (with props)
    websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/authentication.png
  (with props)
    websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/connection.png  
(with props)
Modified:
    websites/staging/directory/trunk/content/   (props changed)
    websites/staging/directory/trunk/content/apacheds/kerberos-ug/4.2-authenticate-studio.html
    websites/staging/directory/trunk/content/apacheds/kerberos-user-guide.html

Propchange: websites/staging/directory/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Fri Feb 15 18:05:56 2013
@@ -1 +1 @@
-1446490
+1446711

Modified: websites/staging/directory/trunk/content/apacheds/kerberos-ug/4.2-authenticate-studio.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/kerberos-ug/4.2-authenticate-studio.html
(original)
+++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/4.2-authenticate-studio.html
Fri Feb 15 18:05:56 2013
@@ -137,7 +137,143 @@
     </div>
 
 
-<h1 id="41-authenticate-with-kinit-on-linux">4.1 - Authenticate with kinit on Linux</h1>
+<h1 id="41-authenticate-with-studio">4.1 - Authenticate with Studio</h1>
+<p>We will explain how to use the kerberos server to authentify users on a LDAP server.
Let's first define the way we will store data in the LDAP server</p>
+<h2 id="servers-configuration">Servers configuration</h2>
+<p>We first have to configure the <strong>LDAP</strong> and <strong>Kerberos</strong>
server, in order to be able to use the kerberos server to authenticate on the ldap server.</p>
+<p>If you have installed the <strong>ApacheDS</strong> package, the simplest
way is to start the server, and to connect on it using Studio, using the <em>uid=admin,ou=system</em>
user with <em>secret</em> as a password (this password will have to be changed
later !).</p>
+<p><DIV align="center">
+<img alt="connection" src="images/connection.png" />
+</DIV></p>
+<p>and :</p>
+<p><DIV align="center">
+<img alt="authentication" src="images/authentication.png" />
+</DIV></p>
+<h2 id="ldap-hierarchy">LDAP Hierarchy</h2>
+<p>We will distinguish between <strong>users</strong> and <strong>services</strong>
:
+<em> Users are human beings, or applications that can log on a service
+</em> Services are applications on which a user can log in</p>
+<p>In our case, the ldap server and the <strong>TGS</strong> are services.</p>
+<p>Each user and each service will be declared using an <em>entry</em>
in the ldap server.</p>
+<p>We will store those entries in a part of the <strong>DIT</strong> where
the kerberos server and the ldap server will be able to find them. Assuming we have created
our own partition named <strong>dc=example,dc=com</strong>, we will define this
hierarchy starting from there :</p>
+<p><DIV align="center">
+<img alt="Authentification hierarchy" src="images/authent-hierarchy.png" />
+</DIV></p>
+<p>This can be injected in the LDAP server using this LDIF :</p>
+<div class="codehilite"><pre>dn: dc=security,dc=example,dc=com
+objectClass: top
+objectClass: domain
+dc: security
+
+dn: ou=services,dc=security,dc=example,dc=com
+objectClass: top
+objectClass: organizationalUnit
+ou: services
+
+dn: ou=users,dc=security,dc=example,dc=com
+objectClass: top
+objectClass: organizationalUnit
+ou: users
+</pre></div>
+
+
+<h2 id="users-and-service-declaration">Users and Service declaration</h2>
+<p>Now that we have built our container for users and services, we have to declare
the users and services so that they can be used through <strong>kerberos</strong>.</p>
+<h3 id="users">Users</h3>
+<p>Each user must have the <strong>krb5KDCEntry</strong> objectclass, and
the <strong>userPassword</strong> attributeType (which is present in one of the
following objectclasses : <em>dmd</em>, <em>domain</em>, <em>organization</em>,
<em>organizationalUnit</em>, <em>person</em>, <em>posixAccount</em>,
<em>posixGroup</em> and <em>shadowAccount</em>, or one of their inheriting
objectclass. You can also add it to your own objectclass).</p>
+<p>Our users will be <em>organizationalPerson</em>, which inherits from
<em>person</em>.</p>
+<p>For our sample test, here is a person we will inject in th eLDAP server :</p>
+<div class="codehilite"><pre>dn: uid=hnelson,ou=users,dc=security,dc=example,dc=com
+objectClass: top
+objectClass: krb5KDCEntry
+objectClass: inetOrgPerson
+objectClass: krb5Principal
+objectClass: person
+objectClass: organizationalPerson
+cn: Horatio Nelson
+krb5KeyVersionNumber: 1
+krb5PrincipalName: hnelson@EXAMPLE.COM
+sn: Nelson
+uid: hnelson
+userPassword: secret
+</pre></div>
+
+
+<p>This user does not have a password yet.</p>
+<p><DIV class="info" markdown="1">
+The import thing is the <em>krb5PrincipalName</em>, which is the one that will
be used to bind the user. It has a user login (<strong>hnelson</strong>) and a
realm (<strong>EXAMPLE.COM</strong>).
+</DIV></p>
+<p>Once the user has been injected, we can see that the server has created some krb5Key
attributes :</p>
+<div class="codehilite"><pre>
+</pre></div>
+
+
+<p>dn: uid=hnelson,ou=users,dc=security,dc=example,dc=com
+    objectClass: top
+    objectClass: krb5KDCEntry
+    objectClass: inetOrgPerson
+    objectClass: krb5Principal
+    objectClass: person
+    objectClass: organizationalPerson
+    cn: Horatio Nelson
+    krb5KeyVersionNumber: 0
+    krb5PrincipalName: hnelson@EXAMPLE.COM
+    sn: Nelson
+    krb5Key:: MBGgAwIBA6EKBAj0pxNkimHOWw==
+    krb5Key:: MBmgAwIBEaESBBCtIUs4tp38yqzxXzRtQXuQ
+    krb5Key:: MCGgAwIBEKEaBBhXB84pUpIsHIy/Q8I9j4xenoz3XT5KXiU=
+    krb5Key:: MBmgAwIBF6ESBBCHjYAUYGzaKWd6RO+hNT/H
+    uid: hnelson
+    userPassword:: e1NTSEF9VnhjYUl4U3JxUnAraWh1dXo2NEhzN1EwbXE0ZHBBQTNsUHJXMGc9P
+     Q== </p>
+<p>Those keys have been computed automatically by the Kerberos server. Every time you
will change the password, the keys will be updated.</p>
+<p>We can add as many users as we want, but keep in mind that the login name should
be the first part of the <strong>krb5PrincipalName</strong> attributeType.</p>
+<h3 id="services">Services</h3>
+<p>We now have to declare some services : the <strong>krbtgt</strong> service,
which delivers tickets, and the <strong>ldap</strong> service.</p>
+<p>A user (or a service) which will try to authenticate on the LDAP server will first
get a ticket from the <strong>krbtgt</strong> service, then will access the <strong>ldap</strong>
service with the provided ticket.</p>
+<h4 id="krbtgt-service">krbtgt service</h4>
+<p>It's pretty much the same operation than for the user : create the entry, define
a <em>krb5PrincipalName</em>, create a <em>userPassword</em> and inject
the entry into the LDAP server. </p>
+<p>Here is the associated LDIF file :</p>
+<div class="codehilite"><pre>dn: uid=ldap,ou=services,dc=security,dc=example,dc=com
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: krb5KDCEntry
+objectClass: person
+objectClass: krb5Principal
+objectClass: organizationalPerson
+cn: LDAP
+krb5KeyVersionNumber: 0
+krb5PrincipalName: ldap/localhost@EXAMPLE.COM
+sn: Service
+uid: ldap
+userPassword: randomKey
+
+dn: uid=krbtgt,ou=services,dc=security,dc=example,dc=com
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: krb5KDCEntry
+objectClass: person
+objectClass: krb5Principal
+objectClass: organizationalPerson
+cn: KDC Service
+krb5KeyVersionNumber: 0
+krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
+sn: Service
+uid: krbtgt
+userPassword:: randomkey
+</pre></div>
+
+
+<p><DIV class="info" markdown="1">
+Three important things :</p>
+<div class="codehilite"><pre><span class="o">*</span> <span class="n">the</span>
<span class="n">userPassword</span> <span class="n">is</span> <span
class="s">&#39;randomkey&#39;</span><span class="o">.</span>
<span class="n">The</span> <span class="n">key</span> <span class="n">won</span><span
class="s">&#39;t be generated based on a know password, they will use a random key.</span>
+<span class="s">* the _krb5PrincipalName_ has one more information, after the &#39;</span><span
class="o">/</span><span class="err">&#39;</span> <span class="n">character</span>
<span class="p">:</span> <span class="n">_EXAMPLE</span><span class="o">.</span><span
class="n">COM_</span> <span class="k">for</span> <span class="n">the</span>
<span class="o">**</span><span class="n">krbtgt</span><span class="o">**</span>
<span class="n">service</span><span class="p">,</span> <span class="ow">and</span>
<span class="o">**</span><span class="n">localhost</span><span
class="o">**</span> <span class="k">for</span> <span class="n">the</span>
<span class="o">**</span><span class="n">ldap</span><span class="o">**</span>
<span class="n">service</span><span class="o">.</span>
+</pre></div>
+
+
+<p></DIV></p>
+<p>Again, once those entries have been injected in the LDAP server, the krb5Key attributeTypes
will be created</p>
+<h2></h2>
 
 
     <div class="nav">

Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/authent-hierarchy.graphml
==============================================================================
Binary file - no diff available.

Propchange: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/authent-hierarchy.graphml
------------------------------------------------------------------------------
    svn:mime-type = application/xml

Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/authent-hierarchy.png
==============================================================================
Binary file - no diff available.

Propchange: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/authent-hierarchy.png
------------------------------------------------------------------------------
    svn:mime-type = image/png

Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/authentication.png
==============================================================================
Binary file - no diff available.

Propchange: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/authentication.png
------------------------------------------------------------------------------
    svn:mime-type = image/png

Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/connection.png
==============================================================================
Binary file - no diff available.

Propchange: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/connection.png
------------------------------------------------------------------------------
    svn:mime-type = image/png

Modified: websites/staging/directory/trunk/content/apacheds/kerberos-user-guide.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/kerberos-user-guide.html (original)
+++ websites/staging/directory/trunk/content/apacheds/kerberos-user-guide.html Fri Feb 15
18:05:56 2013
@@ -162,8 +162,13 @@
 <li><a href="kerberos-ug/3.6-backup-restore.html">3.6 - Backup/Restore</a></li>
 </ul>
 </li>
-<li><a href="kerberos-ug/4-interoperability.html">4 - Interoperability</a></li>
-<li><a href="kerberos-ug/5-glossary.html">5 - Glossary</a></li>
+<li><a href="kerberos-ug/4-using-kerberos.html">4 - Using Kerberos</a><ul>
+<li><a href="kerberos-ug/4.1-authenticate-kinit.html">4.1 - Authenticate with
kinit</a></li>
+<li><a href="kerberos-ug/4.2-authenticate-studio.html">4.2 - Authenticate with
Studio</a></li>
+</ul>
+</li>
+<li><a href="kerberos-ug/5-interoperability.html">5 - Interoperability</a></li>
+<li><a href="kerberos-ug/6-glossary.html">6 - Glossary</a></li>
 </ul>
 
 



Mime
View raw message