directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r851148 - in /websites/staging/directory/trunk/content: ./ apacheds/kerberos-ug/ apacheds/kerberos-ug/images/
Date Tue, 19 Feb 2013 13:42:11 GMT
Author: buildbot
Date: Tue Feb 19 13:42:11 2013
New Revision: 851148

Log:
Staging update by buildbot for directory

Added:
    websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/admin-authentication.png
  (with props)
    websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/admin-connection.png
  (with props)
    websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-connection.png
  (with props)
Removed:
    websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/authentication.png
    websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/connection.png
Modified:
    websites/staging/directory/trunk/content/   (props changed)
    websites/staging/directory/trunk/content/apacheds/kerberos-ug/4.2-authenticate-studio.html
    websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-authent.png
    websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-config.png
    websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/network-parameters.png

Propchange: websites/staging/directory/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Tue Feb 19 13:42:11 2013
@@ -1 +1 @@
-1447269
+1447718

Modified: websites/staging/directory/trunk/content/apacheds/kerberos-ug/4.2-authenticate-studio.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/kerberos-ug/4.2-authenticate-studio.html
(original)
+++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/4.2-authenticate-studio.html
Tue Feb 19 13:42:11 2013
@@ -139,15 +139,18 @@
 
 <h1 id="41-authenticate-with-studio">4.1 - Authenticate with Studio</h1>
 <p>We will explain how to use the kerberos server to authentify users on a LDAP server.
Let's first define the way we will store data in the LDAP server</p>
+<p><DIV class="info" markdown="1">
+We will suppose that the <strong>Kerberos</strong> server is installed on a server
which <em>hostName</em> is <strong>example.net</strong> and the <em>realm</em>
is <strong>EXAMPLE.COM</strong> in the following paragraphes.
+</DIV></p>
 <h2 id="servers-configuration">Servers configuration</h2>
 <p>We first have to configure the <strong>LDAP</strong> and <strong>Kerberos</strong>
server, in order to be able to use the kerberos server to authenticate on the ldap server.</p>
 <p>If you have installed the <strong>ApacheDS</strong> package, the simplest
way is to start the server, and to connect on it using Studio, using the <em>uid=admin,ou=system</em>
user with <em>secret</em> as a password (this password will have to be changed
later !).</p>
 <p><DIV align="center">
-<img alt="connection" src="images/connection.png" />
+<img alt="Admin Connection" src="images/admin-connection.png" />
 </DIV></p>
 <p>and :</p>
 <p><DIV align="center">
-<img alt="authentication" src="images/authentication.png" />
+<img alt="Admin Authentication" src="images/admin-authentication.png" />
 </DIV></p>
 <p>Once connected, right click on the connection :</p>
 <p><DIV align="center">
@@ -159,12 +162,15 @@
 </DIV></p>
 <h3 id="ldap-server-configuration">LDAP Server configuration</h3>
 <p>There are a few parameters that are to be set in the <strong>LDAP</strong>
configuration :</p>
-<div class="codehilite"><pre><span class="o">*</span> <span class="n">The</span>
<span class="n">_SASL</span> <span class="n">host_</span> <span
class="n">must</span> <span class="n">be</span> <span class="n">the</span>
<span class="nb">local</span> <span class="n">server</span> <span
class="n">name</span> <span class="p">(</span><span class="n">here</span><span
class="p">,</span> <span class="n">EXAMPLE</span><span class="o">.</span><span
class="n">COM</span><span class="p">)</span>
-<span class="o">*</span> <span class="n">The</span> <span class="n">_SASL</span>
<span class="n">principal_</span> <span class="n">is</span> <span
class="o">**</span><span class="n">ldap</span><span class="o">/</span><span
class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span
class="nv">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span
class="o">**</span>
+<div class="codehilite"><pre><span class="o">*</span> <span class="n">The</span>
<span class="n">_SASL</span> <span class="n">host_</span> <span
class="n">must</span> <span class="n">be</span> <span class="n">the</span>
<span class="nb">local</span> <span class="n">server</span> <span
class="n">name</span> <span class="p">(</span><span class="n">here</span><span
class="p">,</span> <span class="n">example</span><span class="o">.</span><span
class="n">net</span><span class="p">)</span>
+<span class="o">*</span> <span class="n">The</span> <span class="n">_SASL</span>
<span class="n">principal_</span> <span class="n">is</span> <span
class="o">**</span><span class="n">ldap</span><span class="o">/</span><span
class="n">example</span><span class="o">.</span><span class="n">net</span><span
class="nv">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span
class="o">**</span>
 <span class="o">*</span> <span class="n">The</span> <span class="n">_Search</span>
<span class="n">Base</span> <span class="n">DN_</span> <span class="n">should</span>
<span class="n">point</span> <span class="n">to</span> <span class="n">the</span>
<span class="n">place</span> <span class="n">under</span> <span
class="n">which</span> <span class="n">we</span> <span class="n">store</span>
<span class="n">users</span> <span class="ow">and</span> <span
class="n">services</span> <span class="p">(</span><span class="n">_dc</span><span
class="o">=</span><span class="n">security</span><span class="p">,</span><span
class="n">dc</span><span class="o">=</span><span class="n">example</span><span
class="p">,</span><span class="n">dc</span><span class="o">=</span><span
class="n">com_</span><span class="p">)</span>
 </pre></div>
 
 
+<p><DIV class="warning" markdown="1">
+The <em>SASL principal</em> instance part (ie, <strong>example.net</strong>)
is in lower case, as the hostname is not case sensitive. Sadly, the <em>KrbPrincipalName</em>
attributeType is case sensitive, so if the left part is not lowercased, the server won't be
able to retrieve the information from the LDAP server.
+</DIV></p>
 <p>Here is a snapshot of this configuration :</p>
 <p><DIV align="center">
 <img alt="LDAP configuration" src="images/ldap-config.png" />
@@ -182,10 +188,10 @@
 </DIV></p>
 <p>Once those modifications have been done, you must restart the server.</p>
 <h3 id="other-configuration">Other configuration</h3>
-<p>There is one more thing that you need to configure : your domain name (here, <em>EXAMPLE.COM</em>)
has to be reachable on your machine. Either you define in on a <strong>DNS</strong>
server, or you can also add it in your <em>/etc/hosts</em> file.</p>
+<p>There is one more thing that you need to configure : your domain name (here, example.net_)
has to be reachable on your machine. Either you define in on a <strong>DNS</strong>
server, or you can also add it in your <em>/etc/hosts</em> file.</p>
 <p>Here is a way to add it on a local host :</p>
 <div class="codehilite"><pre><span class="o">...</span>
-<span class="mf">127.0.0.1</span> <span class="n">localhost</span>
<span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span>
+<span class="mf">127.0.0.1</span> <span class="n">localhost</span>
<span class="n">example</span><span class="o">.</span><span class="n">net</span>
 <span class="o">...</span>
 </pre></div>
 
@@ -226,7 +232,7 @@ ou: users
 <h3 id="users">Users</h3>
 <p>Each user must have the <strong>krb5KDCEntry</strong> objectclass, and
the <strong>userPassword</strong> attributeType (which is present in one of the
following objectclasses : <em>dmd</em>, <em>domain</em>, <em>organization</em>,
<em>organizationalUnit</em>, <em>person</em>, <em>posixAccount</em>,
<em>posixGroup</em> and <em>shadowAccount</em>, or one of their inheriting
objectclass. You can also add it to your own objectclass).</p>
 <p>Our users will be <em>organizationalPerson</em>, which inherits from
<em>person</em>.</p>
-<p>For our sample test, here is a person we will inject in th eLDAP server :</p>
+<p>For our sample test, here is a person we will inject in the LDAP server :</p>
 <div class="codehilite"><pre>dn: uid=hnelson,ou=users,dc=security,dc=example,dc=com
 objectClass: top
 objectClass: krb5KDCEntry
@@ -284,7 +290,7 @@ objectClass: krb5KDCEntry
 objectClass: uidObject
 objectClass: krb5Principal
 krb5KeyVersionNumber: 0
-krb5PrincipalName: ldap/localhost@EXAMPLE.COM
+krb5PrincipalName: ldap/example.net@EXAMPLE.COM
 uid: ldap
 userPassword: randomKey
 ou: TGT
@@ -305,14 +311,13 @@ ou: LDAP
 
 <p><DIV class="info" markdown="1">
 Three important things :</p>
-<div class="codehilite"><pre><span class="o">-</span> <span class="n">the</span>
<span class="n">userPassword</span> <span class="n">is</span> <span
class="s">&#39;randomkey&#39;</span><span class="o">.</span>
<span class="n">The</span> <span class="n">key</span> <span class="n">won</span><span
class="err">&#39;</span><span class="n">t</span> <span class="n">be</span>
<span class="n">generated</span> <span class="n">based</span> <span
class="n">on</span> <span class="n">a</span> <span class="n">know</span>
<span class="n">password</span><span class="p">,</span> <span class="n">they</span>
<span class="n">will</span> <span class="k">use</span> <span class="n">a</span>
<span class="n">random</span> <span class="n">key</span><span class="o">.</span>
-<span class="o">-</span> <span class="n">the</span> <span class="n">_krb5PrincipalName_</span>
<span class="n">has</span> <span class="n">one</span> <span class="n">more</span>
<span class="n">information</span><span class="p">,</span> <span
class="n">after</span> <span class="n">the</span> <span class="o">/</span>
<span class="n">character</span> <span class="p">:</span> <span
class="n">_EXAMPLE</span><span class="o">.</span><span class="n">COM_</span>
<span class="k">for</span> 
-<span class="n">the</span> <span class="o">**</span><span class="n">krbtgt</span><span
class="o">**</span> <span class="n">service</span><span class="p">,</span>
<span class="ow">and</span> <span class="o">**</span><span class="n">localhost</span><span
class="o">**</span> <span class="k">for</span> <span class="n">the</span>
<span class="o">**</span><span class="n">ldap</span><span class="o">**</span>
<span class="n">service</span><span class="o">.</span>
-<span class="o">-</span> <span class="n">the</span> <span class="n">krb5KeyVersionNumber</span>
<span class="n">is</span> <span class="mi">0</span>
-</pre></div>
-
-
-<p></DIV></p>
+<ul>
+<li>the userPassword is 'randomkey'. The key will not be generated based on a know
password, they will use a random key.</li>
+<li>the <em>krb5PrincipalName</em> has one more information, after the
/ character : <em>EXAMPLE.COM</em> for 
+    the <strong>krbtgt</strong> service, and <strong>example.net</strong>
for the <strong>ldap</strong> service. For the <strong>krbtgt</strong>
principal, the instance is always the realm name. For the <strong>ldap</strong>
principal, the instance is the hostname, in lowercase.</li>
+<li>the krb5KeyVersionNumber is 0
+</DIV></li>
+</ul>
 <p>Again, once those entries have been injected in the LDAP server, the <em>krb5Key</em>
attributeTypes will be created</p>
 <h2 id="login-using-studio">Login using Studio</h2>
 <p>Now that the server is set, and the services and users are stored into it, we can
create a new connection using the Kerberos authentication for the created users.</p>
@@ -323,7 +328,7 @@ Three important things :</p>
 </DIV></p>
 <p>You will now have to set the network parameters, as in the following popup. Typically,
set :</p>
 <div class="codehilite"><pre><span class="o">*</span> <span class="n">The</span>
<span class="n">connection</span> <span class="n">name</span> <span
class="p">(</span><span class="n">here</span><span class="p">,</span>
<span class="o">**</span><span class="n">Kerberos</span> <span
class="n">User</span><span class="o">**</span><span class="p">)</span>
-<span class="o">*</span> <span class="n">The</span> <span class="n">LDAP</span>
<span class="n">server</span> <span class="n">host</span> <span
class="p">(</span><span class="o">**</span><span class="n">localhost</span><span
class="o">**</span><span class="p">)</span>
+<span class="o">*</span> <span class="n">The</span> <span class="n">LDAP</span>
<span class="n">server</span> <span class="n">host</span> <span
class="p">(</span><span class="o">**</span><span class="n">example</span><span
class="o">.</span><span class="n">net</span><span class="o">**</span><span
class="p">)</span>
 <span class="o">*</span> <span class="n">The</span> <span class="n">LDAP</span>
<span class="n">server</span> <span class="n">port</span> <span
class="p">(</span><span class="o">**</span><span class="mi">10389</span><span
class="o">**</span><span class="p">)</span>
 <span class="o">*</span> <span class="n">The</span> <span class="n">Provider</span>
<span class="p">(</span><span class="n">pick</span> <span class="o">**</span><span
class="n">Apache</span> <span class="n">Directory</span> <span class="n">LDAP</span>
<span class="n">Client</span> <span class="n">API</span><span class="o">**</span><span
class="p">)</span>
 </pre></div>
@@ -344,7 +349,7 @@ Select the following parameters and valu
     <span class="o">*</span> <span class="n">Obtain</span> <span
class="n">TGT</span> <span class="n">from</span> <span class="n">KDC</span>
     <span class="o">*</span> <span class="n">Use</span> <span
class="n">following</span> <span class="n">configuration</span> <span
class="p">:</span>
         <span class="o">*</span> <span class="n">Kerberos</span>
<span class="n">Realm</span> <span class="p">:</span> <span class="o">**</span><span
class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span
class="o">**</span>
-        <span class="o">*</span> <span class="n">KDC</span> <span
class="n">Host</span> <span class="p">:</span> <span class="o">**</span><span
class="n">localhost</span><span class="o">**</span>
+        <span class="o">*</span> <span class="n">KDC</span> <span
class="n">Host</span> <span class="p">:</span> <span class="o">**</span><span
class="n">example</span><span class="o">.</span><span class="n">net</span><span
class="o">**</span>
         <span class="o">*</span> <span class="n">KDC</span> <span
class="n">port</span> <span class="p">:</span> <span class="o">**</span>
<span class="mi">60088</span><span class="o">**</span>
 </pre></div>
 
@@ -353,7 +358,7 @@ Select the following parameters and valu
 <p><DIV align="center">
 <img alt="Kerberos authentification" src="images/kerberos-authent.png" />
 </DIV></p>
-<p>Clinking in the 'Check Authentication' buton should be succesful.</p>
+<p>Clinking in the 'Check Authentication' buton should be succesfull.</p>
 
 
     <div class="nav">

Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/admin-authentication.png
==============================================================================
Binary file - no diff available.

Propchange: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/admin-authentication.png
------------------------------------------------------------------------------
    svn:mime-type = image/png

Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/admin-connection.png
==============================================================================
Binary file - no diff available.

Propchange: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/admin-connection.png
------------------------------------------------------------------------------
    svn:mime-type = image/png

Modified: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-authent.png
==============================================================================
Binary files - no diff available.

Modified: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-config.png
==============================================================================
Binary files - no diff available.

Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-connection.png
==============================================================================
Binary file - no diff available.

Propchange: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-connection.png
------------------------------------------------------------------------------
    svn:mime-type = image/png

Modified: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/network-parameters.png
==============================================================================
Binary files - no diff available.



Mime
View raw message