From commits-return-35997-apmail-directory-commits-archive=directory.apache.org@directory.apache.org Sun Feb 10 03:12:06 2013 Return-Path: X-Original-To: apmail-directory-commits-archive@www.apache.org Delivered-To: apmail-directory-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 60AC4E7DF for ; Sun, 10 Feb 2013 03:12:06 +0000 (UTC) Received: (qmail 76089 invoked by uid 500); 10 Feb 2013 03:12:06 -0000 Delivered-To: apmail-directory-commits-archive@directory.apache.org Received: (qmail 76013 invoked by uid 500); 10 Feb 2013 03:12:05 -0000 Mailing-List: contact commits-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@directory.apache.org Delivered-To: mailing list commits@directory.apache.org Received: (qmail 76006 invoked by uid 99); 10 Feb 2013 03:12:05 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 10 Feb 2013 03:12:05 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 10 Feb 2013 03:11:59 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 39E802388AB9 for ; Sun, 10 Feb 2013 03:11:40 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r850090 - in /websites/staging/directory/trunk/content: ./ apacheds/kerberos-ug/1.1-introduction.html apacheds/kerberos-ug/1.1.5-database.html Date: Sun, 10 Feb 2013 03:11:40 -0000 To: commits@directory.apache.org From: buildbot@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20130210031140.39E802388AB9@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: buildbot Date: Sun Feb 10 03:11:39 2013 New Revision: 850090 Log: Staging update by buildbot for directory Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.5-database.html Modified: websites/staging/directory/trunk/content/ (props changed) websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1-introduction.html Propchange: websites/staging/directory/trunk/content/ ------------------------------------------------------------------------------ --- cms:source-revision (original) +++ cms:source-revision Sun Feb 10 03:11:39 2013 @@ -1 +1 @@ -1444345 +1444475 Modified: websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1-introduction.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1-introduction.html (original) +++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1-introduction.html Sun Feb 10 03:11:39 2013 @@ -153,6 +153,14 @@

We also have a complete configuration GUI in Studio, which allows administrators to tweak their server in a convenient way.

The Kerberos provider for Apache Directory implements RFC 1510 and RFC 4120 , the Kerberos V5 Network Authentication Service. The purpose of Kerberos is to verify the identities of principals (users or services) on an unprotected network. While generally thought of as a single-sign-on technology, Kerberos' true strength is in authenticating users without ever sending their password over the network. Kerberos is designed for use on open (untrusted) networks and, therefore, operates under the assumption that packets traveling along the network can be read, modified, and inserted at will. This chart provides a good description of the protocol workflow.

Kerberos is named for the three-headed dog that guards the gates to Hades. The three heads are the client, the Kerberos server, and the network service being accessed.

+

What is it all about ?

+

The isea is to have a server being able to deliver a user some tickets that can be used by services. Those tickets are trusted for a certain period of time. The most important point is that the service does not have to ask any server to validate those tickets : they are trusted because they have been generated by a trusted server.

+

This is a two rounds process : +1 - The client request a Ticket to the Kerberos server +2 - The client submit the ticket to the requested service

+

The the client is authenticated.

+

In any case, there is no way to fake an identity or to forge a ticket that can be used, nor one can reuse a Ticket that has already been used.

+

Apache Kerberos Server

The Apache Directory Kerberos provider is implemented as a protocol-provider plugin. As a plugin, the Kerberos provider leverages Apache MINA for front-end services and the Apache Directory read-optimized backing store for persistent directory services.

The Kerberos server for Apache Directory, in conjunction with MINA and the Apache Directory store, provides an easy-to-use yet fully-featured network authentication service. As implemented within the Apache Directory, the Kerberos provder will provide:

    Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.5-database.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.5-database.html (added) +++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.5-database.html Sun Feb 10 03:11:39 2013 @@ -0,0 +1,263 @@ + + + + + 1.1.5 - Database — Apache Directory + + + + + + + + + + + + +
    + +
    +
    + + + +
    +
    + + + + + +

    1.1.5 - Database

    +

    This is the place where all the private keys are stored. This is pretty natural to store all those keys in a LDAP server, even more natural when the Kerberos server is built as a part of an existing LDAP server, as for *Apache Directory Server !

    +

    When Apache Directory Server was started, it was also thought as a repository for Kerberos keys, so we just had to develop the logic to manage those keys, and the Kerberos protocol.

    +

    In other words, you have everything embedded in a single server : + The LDAP server to store the keys and other related informations + The Kerberos protocol + The Authentication Server + The Ticket Granting Server

    +

    Structure

    +

    There is an existing LDAP schema to manage the keys and other informations, named krb5kdc. It contains 3 ObjectClasses and 15 AttributeTypes.

    +

    All the ObjectClasses are auxilliary.

    +

    krb5Principal

    +

    This ObjectClass is used to store a Principal. It contains one mandatory AttributeType, krb5PrincipalName, and two optionnal (cn and krb5PrincipalRealm)

    +

    krb5Realm

    +

    This ObjectClass describes a Kerberos Realm. It just contains the Realm's name (krb5RealName AttributeType).

    +

    krb5kdcEntry

    +

    This ObjectClass is used to store all the information needed to manage a Kerberos user or service. It has one mandatory AttributeType, krb5KeyVersioNumber, which is set to 0 for newly crated users or services, and incremented after each modification done on the password (which leads to the generation of new keys).

    +

    Here is a list of optional AttributeTypes the entry can have :

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    AttributeTypeDescription
    krb5ValidStartThe date at which the keys are valid
    krb5ValidEndThe date at which the keys aren't valid any more
    krb5PasswordEndThe end of password validity
    krb5MaxLifeThe maximum duration
    krb5MaxRenewTh maximum number of renew
    krb5KDCFlagsThe KDC flags
    krb5EncryptionTypeThe EncryptionTypes
    krb5KeyThe generated keys
    krb5AccountDisabledThe account has been disabled
    krb5AccountLockedOutThe account has been locked out
    krb5AccountExpirationTimeThe account expiration time
    +

    Sample

    +

    Here is a sample entry, which has the Krb5KdcEntry and Krb5Principal ObjectClasses set :

    +
    dn: uid=hnelson,ou=users,dc=example,dc=com
    +objectClass: inetOrgPerson
    +objectClass: organizationalPerson
    +objectClass: person
    +objectClass: krb5principal
    +objectClass: krb5kdcentry
    +objectClass: top
    +uid: hnelson
    +userPassword: secret
    +krb5PrincipalName: hnelson@EXAMPLE.COM
    +krb5KeyVersionNumber: 0
    +cn: Horatio Nelson
    +sn: Nelson
    +krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20 0x3D 0x33 0x31 0x8F 0xBE ...'
    +krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0x57 0x07 0xCE 0x29 0x52 ...'
    +krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x87 0x8D 0x80 0x14 0x60 ...'
    +krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xF4 0xA7 0x13 0x64 0x8A ...'
    +krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0xAD 0x21 0x4B 0x38 0xB6 ...'
    +
    + + + + + +
    +
    +
    + +
    + + \ No newline at end of file