You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by bu...@apache.org on 2013/02/15 19:05:57 UTC
svn commit: r850729 - in /websites/staging/directory/trunk/content: ./
apacheds/ apacheds/kerberos-ug/ apacheds/kerberos-ug/images/
Author: buildbot
Date: Fri Feb 15 18:05:56 2013
New Revision: 850729
Log:
Staging update by buildbot for directory
Added:
websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/authent-hierarchy.graphml (with props)
websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/authent-hierarchy.png (with props)
websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/authentication.png (with props)
websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/connection.png (with props)
Modified:
websites/staging/directory/trunk/content/ (props changed)
websites/staging/directory/trunk/content/apacheds/kerberos-ug/4.2-authenticate-studio.html
websites/staging/directory/trunk/content/apacheds/kerberos-user-guide.html
Propchange: websites/staging/directory/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Fri Feb 15 18:05:56 2013
@@ -1 +1 @@
-1446490
+1446711
Modified: websites/staging/directory/trunk/content/apacheds/kerberos-ug/4.2-authenticate-studio.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/kerberos-ug/4.2-authenticate-studio.html (original)
+++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/4.2-authenticate-studio.html Fri Feb 15 18:05:56 2013
@@ -137,7 +137,143 @@
</div>
-<h1 id="41-authenticate-with-kinit-on-linux">4.1 - Authenticate with kinit on Linux</h1>
+<h1 id="41-authenticate-with-studio">4.1 - Authenticate with Studio</h1>
+<p>We will explain how to use the kerberos server to authentify users on a LDAP server. Let's first define the way we will store data in the LDAP server</p>
+<h2 id="servers-configuration">Servers configuration</h2>
+<p>We first have to configure the <strong>LDAP</strong> and <strong>Kerberos</strong> server, in order to be able to use the kerberos server to authenticate on the ldap server.</p>
+<p>If you have installed the <strong>ApacheDS</strong> package, the simplest way is to start the server, and to connect on it using Studio, using the <em>uid=admin,ou=system</em> user with <em>secret</em> as a password (this password will have to be changed later !).</p>
+<p><DIV align="center">
+<img alt="connection" src="images/connection.png" />
+</DIV></p>
+<p>and :</p>
+<p><DIV align="center">
+<img alt="authentication" src="images/authentication.png" />
+</DIV></p>
+<h2 id="ldap-hierarchy">LDAP Hierarchy</h2>
+<p>We will distinguish between <strong>users</strong> and <strong>services</strong> :
+<em> Users are human beings, or applications that can log on a service
+</em> Services are applications on which a user can log in</p>
+<p>In our case, the ldap server and the <strong>TGS</strong> are services.</p>
+<p>Each user and each service will be declared using an <em>entry</em> in the ldap server.</p>
+<p>We will store those entries in a part of the <strong>DIT</strong> where the kerberos server and the ldap server will be able to find them. Assuming we have created our own partition named <strong>dc=example,dc=com</strong>, we will define this hierarchy starting from there :</p>
+<p><DIV align="center">
+<img alt="Authentification hierarchy" src="images/authent-hierarchy.png" />
+</DIV></p>
+<p>This can be injected in the LDAP server using this LDIF :</p>
+<div class="codehilite"><pre>dn: dc=security,dc=example,dc=com
+objectClass: top
+objectClass: domain
+dc: security
+
+dn: ou=services,dc=security,dc=example,dc=com
+objectClass: top
+objectClass: organizationalUnit
+ou: services
+
+dn: ou=users,dc=security,dc=example,dc=com
+objectClass: top
+objectClass: organizationalUnit
+ou: users
+</pre></div>
+
+
+<h2 id="users-and-service-declaration">Users and Service declaration</h2>
+<p>Now that we have built our container for users and services, we have to declare the users and services so that they can be used through <strong>kerberos</strong>.</p>
+<h3 id="users">Users</h3>
+<p>Each user must have the <strong>krb5KDCEntry</strong> objectclass, and the <strong>userPassword</strong> attributeType (which is present in one of the following objectclasses : <em>dmd</em>, <em>domain</em>, <em>organization</em>, <em>organizationalUnit</em>, <em>person</em>, <em>posixAccount</em>, <em>posixGroup</em> and <em>shadowAccount</em>, or one of their inheriting objectclass. You can also add it to your own objectclass).</p>
+<p>Our users will be <em>organizationalPerson</em>, which inherits from <em>person</em>.</p>
+<p>For our sample test, here is a person we will inject in th eLDAP server :</p>
+<div class="codehilite"><pre>dn: uid=hnelson,ou=users,dc=security,dc=example,dc=com
+objectClass: top
+objectClass: krb5KDCEntry
+objectClass: inetOrgPerson
+objectClass: krb5Principal
+objectClass: person
+objectClass: organizationalPerson
+cn: Horatio Nelson
+krb5KeyVersionNumber: 1
+krb5PrincipalName: hnelson@EXAMPLE.COM
+sn: Nelson
+uid: hnelson
+userPassword: secret
+</pre></div>
+
+
+<p>This user does not have a password yet.</p>
+<p><DIV class="info" markdown="1">
+The import thing is the <em>krb5PrincipalName</em>, which is the one that will be used to bind the user. It has a user login (<strong>hnelson</strong>) and a realm (<strong>EXAMPLE.COM</strong>).
+</DIV></p>
+<p>Once the user has been injected, we can see that the server has created some krb5Key attributes :</p>
+<div class="codehilite"><pre>
+</pre></div>
+
+
+<p>dn: uid=hnelson,ou=users,dc=security,dc=example,dc=com
+ objectClass: top
+ objectClass: krb5KDCEntry
+ objectClass: inetOrgPerson
+ objectClass: krb5Principal
+ objectClass: person
+ objectClass: organizationalPerson
+ cn: Horatio Nelson
+ krb5KeyVersionNumber: 0
+ krb5PrincipalName: hnelson@EXAMPLE.COM
+ sn: Nelson
+ krb5Key:: MBGgAwIBA6EKBAj0pxNkimHOWw==
+ krb5Key:: MBmgAwIBEaESBBCtIUs4tp38yqzxXzRtQXuQ
+ krb5Key:: MCGgAwIBEKEaBBhXB84pUpIsHIy/Q8I9j4xenoz3XT5KXiU=
+ krb5Key:: MBmgAwIBF6ESBBCHjYAUYGzaKWd6RO+hNT/H
+ uid: hnelson
+ userPassword:: e1NTSEF9VnhjYUl4U3JxUnAraWh1dXo2NEhzN1EwbXE0ZHBBQTNsUHJXMGc9P
+ Q== </p>
+<p>Those keys have been computed automatically by the Kerberos server. Every time you will change the password, the keys will be updated.</p>
+<p>We can add as many users as we want, but keep in mind that the login name should be the first part of the <strong>krb5PrincipalName</strong> attributeType.</p>
+<h3 id="services">Services</h3>
+<p>We now have to declare some services : the <strong>krbtgt</strong> service, which delivers tickets, and the <strong>ldap</strong> service.</p>
+<p>A user (or a service) which will try to authenticate on the LDAP server will first get a ticket from the <strong>krbtgt</strong> service, then will access the <strong>ldap</strong> service with the provided ticket.</p>
+<h4 id="krbtgt-service">krbtgt service</h4>
+<p>It's pretty much the same operation than for the user : create the entry, define a <em>krb5PrincipalName</em>, create a <em>userPassword</em> and inject the entry into the LDAP server. </p>
+<p>Here is the associated LDIF file :</p>
+<div class="codehilite"><pre>dn: uid=ldap,ou=services,dc=security,dc=example,dc=com
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: krb5KDCEntry
+objectClass: person
+objectClass: krb5Principal
+objectClass: organizationalPerson
+cn: LDAP
+krb5KeyVersionNumber: 0
+krb5PrincipalName: ldap/localhost@EXAMPLE.COM
+sn: Service
+uid: ldap
+userPassword: randomKey
+
+dn: uid=krbtgt,ou=services,dc=security,dc=example,dc=com
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: krb5KDCEntry
+objectClass: person
+objectClass: krb5Principal
+objectClass: organizationalPerson
+cn: KDC Service
+krb5KeyVersionNumber: 0
+krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
+sn: Service
+uid: krbtgt
+userPassword:: randomkey
+</pre></div>
+
+
+<p><DIV class="info" markdown="1">
+Three important things :</p>
+<div class="codehilite"><pre><span class="o">*</span> <span class="n">the</span> <span class="n">userPassword</span> <span class="n">is</span> <span class="s">'randomkey'</span><span class="o">.</span> <span class="n">The</span> <span class="n">key</span> <span class="n">won</span><span class="s">'t be generated based on a know password, they will use a random key.</span>
+<span class="s">* the _krb5PrincipalName_ has one more information, after the '</span><span class="o">/</span><span class="err">'</span> <span class="n">character</span> <span class="p">:</span> <span class="n">_EXAMPLE</span><span class="o">.</span><span class="n">COM_</span> <span class="k">for</span> <span class="n">the</span> <span class="o">**</span><span class="n">krbtgt</span><span class="o">**</span> <span class="n">service</span><span class="p">,</span> <span class="ow">and</span> <span class="o">**</span><span class="n">localhost</span><span class="o">**</span> <span class="k">for</span> <span class="n">the</span> <span class="o">**</span><span class="n">ldap</span><span class="o">**</span> <span class="n">service</span><span class="o">.</span>
+</pre></div>
+
+
+<p></DIV></p>
+<p>Again, once those entries have been injected in the LDAP server, the krb5Key attributeTypes will be created</p>
+<h2></h2>
<div class="nav">
Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/authent-hierarchy.graphml
==============================================================================
Binary file - no diff available.
Propchange: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/authent-hierarchy.graphml
------------------------------------------------------------------------------
svn:mime-type = application/xml
Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/authent-hierarchy.png
==============================================================================
Binary file - no diff available.
Propchange: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/authent-hierarchy.png
------------------------------------------------------------------------------
svn:mime-type = image/png
Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/authentication.png
==============================================================================
Binary file - no diff available.
Propchange: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/authentication.png
------------------------------------------------------------------------------
svn:mime-type = image/png
Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/connection.png
==============================================================================
Binary file - no diff available.
Propchange: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/connection.png
------------------------------------------------------------------------------
svn:mime-type = image/png
Modified: websites/staging/directory/trunk/content/apacheds/kerberos-user-guide.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/kerberos-user-guide.html (original)
+++ websites/staging/directory/trunk/content/apacheds/kerberos-user-guide.html Fri Feb 15 18:05:56 2013
@@ -162,8 +162,13 @@
<li><a href="kerberos-ug/3.6-backup-restore.html">3.6 - Backup/Restore</a></li>
</ul>
</li>
-<li><a href="kerberos-ug/4-interoperability.html">4 - Interoperability</a></li>
-<li><a href="kerberos-ug/5-glossary.html">5 - Glossary</a></li>
+<li><a href="kerberos-ug/4-using-kerberos.html">4 - Using Kerberos</a><ul>
+<li><a href="kerberos-ug/4.1-authenticate-kinit.html">4.1 - Authenticate with kinit</a></li>
+<li><a href="kerberos-ug/4.2-authenticate-studio.html">4.2 - Authenticate with Studio</a></li>
+</ul>
+</li>
+<li><a href="kerberos-ug/5-interoperability.html">5 - Interoperability</a></li>
+<li><a href="kerberos-ug/6-glossary.html">6 - Glossary</a></li>
</ul>