directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r917277 - in /websites/staging/directory/trunk/content: ./ apacheds/kerberos-ug/1.1.4-kdc.html apacheds/kerberos-ug/1.1.6-as.html apacheds/kerberos-ug/1.1.8-tickets.html apacheds/kerberos-ug/4.2-authenticate-studio.html
Date Thu, 24 Jul 2014 07:20:19 GMT
Author: buildbot
Date: Thu Jul 24 07:20:19 2014
New Revision: 917277

Staging update by buildbot for directory

    websites/staging/directory/trunk/content/   (props changed)

Propchange: websites/staging/directory/trunk/content/
--- cms:source-revision (original)
+++ cms:source-revision Thu Jul 24 07:20:19 2014
@@ -1 +1 @@

Modified: websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.4-kdc.html
--- websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.4-kdc.html (original)
+++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.4-kdc.html Thu Jul 24
07:20:19 2014
@@ -163,7 +163,7 @@ We could allow the **Kerberos Server** t
 <p>The <strong>KDC</strong> is associated with a <strong>Realm</strong>.</p>
 <p>The following schema expose the way the <strong>KDC</strong> works :</p>
 <DIV align="center">
-![KDC usage](images/kerberos-auth.png)
+  <img alt="KDC usage" src="images/kerberos-auth.png">
 <p>In order to use a service, the client needs to get a ticket for this service from
the <strong>KDC</strong>. This requires a two step process, where the client first
authenticates himself, and then get back a ticket to use with the targeted server.</p>

Modified: websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.6-as.html
--- websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.6-as.html (original)
+++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.6-as.html Thu Jul 24
07:20:19 2014
@@ -159,7 +159,10 @@ The <B>TGT</B>, or <EM>Ticket Granting T
 <h2 id="exhanges-between-the-client-and-the-as">Exhanges between the client and the
 <p>As we can see, for the client to get a <strong>TGT</strong>, it's just
a matter of sending a simple request, which is sent without any encryption whatsoever (some
might consider that a BER encoded message is already cryptic enough, though ;-).</p>
 <p>Here is the standard exchange :</p>
-<p><img alt="Kerberos Authentication with no pre-auth" src="images/kerberos-as-no-padata.png"
+<DIV align="center">
+  <img alt="Kerberos Authentication with no pre-auth" src="images/kerberos-as-no-padata.png">
 <p>There is still a potential security breach in this scenario : as the server issues
a <strong>TGT</strong> to the client, containing the secret key built using the
user's password, it is possible to decrypt the ticket using a brute force attack (and this
is more likely to happen if the password is weak...)</p>
 <p>Of course, as each ticket has a limited life time, the ticket won't be valid when
the attaker successfully cracked the ticket, but that doesn't matter : the user's password
is now known, and a new ticket can be requested safely, giving access to the services.</p>
 <p><strong>Kerberos 5</strong> introduced a mechanism to workaround this
issue : the user has to provide a proof that he is who he pretends to be. As we can see, it
defeats the premise we made : the <strong>Kerberos</strong> still wants to check
the users...</p>
@@ -167,7 +170,9 @@ The <B>TGT</B>, or <EM>Ticket Granting T
 <h3 id="pre-authentication">Pre-Authentication</h3>
 <p>Now, let's see how does a client 'proves' that he is who he pretends to be. The
protocol allows the server to ask for some proof, by the means of asking the client to send
the server a timestamp encrypted with the user's secret key : if the server can decrypt the
timestamp using the client's secret key, then that proves the client's identity, and now 
the server can send the <strong>TGT</strong>. This exchange is called PreAuthentication.</p>
 <p>Here is the exchange, when  :</p>
-<p><img alt="Kerberos Authentication with pre-auth" src="images/kerberos-as-padata.png"
+<DIV align="center">
+  <img alt="Kerberos Authentication with pre-auth" src="images/kerberos-as-padata.png">
     <div class="nav">

Modified: websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.8-tickets.html
--- websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.8-tickets.html (original)
+++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.8-tickets.html Thu Jul
24 07:20:19 2014
@@ -156,7 +156,7 @@
 <h2 id="whats-inside-a-ticket">What's inside a Ticket ?</h2>
 <p>Here are the information that can be found in a ticket. Most of them are encrypted
using the service's secret key.</p>
 <DIV align="center">
+  <img alt="Ticket" src="images/ticket.png">
 <p>The blue boxes are optionnal informations.</p>

Modified: websites/staging/directory/trunk/content/apacheds/kerberos-ug/4.2-authenticate-studio.html
--- websites/staging/directory/trunk/content/apacheds/kerberos-ug/4.2-authenticate-studio.html
+++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/4.2-authenticate-studio.html
Thu Jul 24 07:20:19 2014
@@ -158,13 +158,25 @@ We will suppose that the <strong>Kerbero
 <h2 id="servers-configuration">Servers configuration</h2>
 <p>We first have to configure the <strong>LDAP</strong> and <strong>Kerberos</strong>
server, in order to be able to use the kerberos server to authenticate on the ldap server.</p>
 <p>If you have installed the <strong>ApacheDS</strong> package, the simplest
way is to start the server, and to connect on it using Studio, using the <em>uid=admin,ou=system</em>
user with <em>secret</em> as a password (this password will have to be changed
later !).</p>
-<p><img alt="Admin Connection" src="images/admin-connection.png" /></p>
+<DIV align="center">
+  <img alt="Admin Connection" src="images/admin-connection.png">
 <p>and :</p>
-<p><img alt="Admin Authentication" src="images/admin-authentication.png" /></p>
+<DIV align="center">
+  <img alt="Admin Authentication" src="images/admin-authentication.png">
 <p>Once connected, right click on the connection :</p>
-<p><img alt="Open Configuration" src="images/open-config.png" /></p>
+<DIV align="center">
+  <img alt="Open Configuration" src="images/open-config.png">
 <p>On the <strong>Overview</strong> tab, check the <strong>Enable
Kerberos Server</strong> box :</p>
-<p><img alt="Enable Kerberos Server" src="images/enable-kerberos.png" /></p>
+<DIV align="center">
+  <img alt="Enable Kerberos Server" src="images/enable-kerberos.png">
 <h3 id="ldap-server-configuration">LDAP Server configuration</h3>
 <p>There are a few parameters that are to be set in the <strong>LDAP</strong>
configuration :</p>
 <div class="codehilite"><pre><span class="o">*</span> <span class="n">The</span>
<span class="n">SASL</span> <span class="n">host</span> <span class="n">must</span>
<span class="n">be</span> <span class="n">the</span> <span class="n">local</span>
<span class="n">server</span> <span class="n">name</span> <span
class="p">(</span><span class="n">here</span><span class="p">,</span>
<span class="n">example</span><span class="p">.</span><span class="n">net</span><span
@@ -178,7 +190,10 @@ The <em>SASL principal</em> instance par
 <p>Here is a snapshot of this configuration :</p>
-<p><img alt="LDAP configuration" src="images/ldap-config.png" /></p>
+<DIV align="center">
+  <img alt="LDAP configuration" src="images/ldap-config.png">
 <h3 id="kerberos-server-configuration">Kerberos Server configuration</h3>
 <p>Now, you can switch to the Kerberos tab, where some more configuration must be set
 <div class="codehilite"><pre><span class="o">*</span> <span class="n">The</span>
<span class="n">Primary</span> <span class="n">KDC</span> <span
class="n">Realm</span> <span class="n">is</span> <span class="n">EXAMPLE</span><span
class="p">.</span><span class="n">COM</span>
@@ -187,7 +202,10 @@ The <em>SASL principal</em> instance par
 <p>Here is a Ssnapshot of this configuration :</p>
-<p><img alt="Kerberos configuration" src="images/kerberos-config.png" /></p>
+<DIV align="center">
+  <img alt="Kerberos configuration" src="images/kerberos-config.png">
 <p>Once those modifications have been done, you must restart the server.</p>
 <h3 id="other-configuration">Other configuration</h3>
 <p>There is one more thing that you need to configure : your domain name (here, example.net_)
has to be reachable on your machine. Either you define in on a <strong>DNS</strong>
server, or you can also add it in your <em>/etc/hosts</em> file.</p>
@@ -209,7 +227,10 @@ It's largely preferable to declare the s
 <p>In our case, the ldap server and the <strong>TGS</strong> are services.</p>
 <p>Each user and each service will be declared using an <em>entry</em>
in the ldap server.</p>
 <p>We will store those entries in a part of the <strong>DIT</strong> where
the kerberos server and the ldap server will be able to find them. Assuming we have created
our own partition named <strong>dc=example,dc=com</strong>, we will define this
hierarchy starting from there :</p>
-<p><img alt="Authentification hierarchy" src="images/authent-hierarchy.png" /></p>
+<DIV align="center">
+  <img alt="Authentification hierarchy" src="images/authent-hierarchy.png">
 <p>This can be injected in the LDAP server using this LDIF :</p>
 <div class="codehilite"><pre>dn: dc=security,dc=example,dc=com
 objectClass: top
@@ -326,7 +347,10 @@ Three important things :
 <p>Now that the server is set, and the services and users are stored into it, we can
create a new connection using the Kerberos authentication for the created users.</p>
 <h3 id="create-a-new-connection">Create a new connection</h3>
 <p>On the "Connections" tab, right click and select 'New Connection...'</p>
-<p><img alt="New Connection" src="images/new-connection.png" /></p>
+<DIV align="center">
+  <img alt="New Connection" src="images/new-connection.png">
 <p>You will now have to set the network parameters, as in the following popup. Typically,
set :</p>
 <div class="codehilite"><pre><span class="o">*</span> <span class="n">The</span>
<span class="n">connection</span> <span class="n">name</span> <span
class="p">(</span><span class="n">here</span><span class="p">,</span>
<span class="n">Kerberos</span> <span class="n">User</span><span
 <span class="o">*</span> <span class="n">The</span> <span class="n">LDAP</span>
<span class="n">server</span> <span class="n">host</span> <span
class="p">(</span><span class="n">example</span><span class="p">.</span><span
class="n">net</span><span class="p">)</span>
@@ -337,7 +361,10 @@ Three important things :
 <p>You can check the connection on cliking the 'check network connection' button, you
should get back a popup stating that the connection was established successfully.</p>
 <p>Here is the screenshot :</p>
-<p><img alt="Network Parameters" src="images/network-parameters.png" /></p>
+<DIV align="center">
+  <img alt="Network Parameters" src="images/network-parameters.png">
 <p>Then click on Next to setup the authentication part.
 Select the following parameters and values :</p>
 <div class="codehilite"><pre><span class="o">*</span> <span class="n">Authentication</span>
<span class="n">method</span> <span class="p">:</span> <span class="n">GSSAPI</span>
@@ -354,7 +381,10 @@ Select the following parameters and valu
 <p>Here is the resulting screen :</p>
-<p><img alt="Kerberos authentification" src="images/kerberos-authent.png" /></p>
+<DIV align="center">
+  <img alt="Kerberos authentification" src="images/kerberos-authent.png">
 <p>Clinking in the 'Check Authentication' button should be succesfull.</p>

View raw message