You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by bu...@apache.org on 2013/02/08 18:56:35 UTC
svn commit: r849927 - in /websites/staging/directory/trunk/content: ./
apacheds/kerberos-ug/1.1.2-principals.html
apacheds/kerberos-ug/1.1.3-keys.html
Author: buildbot
Date: Fri Feb 8 17:56:35 2013
New Revision: 849927
Log:
Staging update by buildbot for directory
Added:
websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.3-keys.html
Modified:
websites/staging/directory/trunk/content/ (props changed)
websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.2-principals.html
Propchange: websites/staging/directory/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Fri Feb 8 17:56:35 2013
@@ -1 +1 @@
-1443639
+1444169
Modified: websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.2-principals.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.2-principals.html (original)
+++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.2-principals.html Fri Feb 8 17:56:35 2013
@@ -163,10 +163,10 @@
For hosts, we use "host" as a primary, and the instances are the hostnames.
</DIV></p>
<p>Those are examples of valid <strong>Principals</strong></p>
-<div class="codehilite"><pre><span class="n">john</span><span class="nv">@APACHE</span><span class="o">.</span><span class="n">ORG</span>
-<span class="n">john</span><span class="o">/</span><span class="n">admin</span><span class="nv">@APACHE</span><span class="o">.</span><span class="n">ORG</span>
-<span class="n">host</span><span class="sr">/www.apache.org/</span><span class="n">apache</span><span class="o">.</span><span class="n">org</span><span class="nv">@APACHE</span><span class="o">.</span><span class="n">ORG</span>
-<span class="n">ldap</span><span class="o">/</span><span class="n">www</span><span class="o">.</span><span class="n">apache</span><span class="o">.</span><span class="n">org</span><span class="nv">@APACHE</span><span class="o">.</span><span class="n">ORG</span>
+<div class="codehilite"><pre><span class="n">john</span><span class="nv">@APACHE</span><span class="o">.</span><span class="n">ORG</span> <span class="n">A</span> <span class="n">user</span>
+<span class="n">john</span><span class="o">/</span><span class="n">admin</span><span class="nv">@APACHE</span><span class="o">.</span><span class="n">ORG</span> <span class="n">A</span> <span class="n">user</span> <span class="n">who</span> <span class="n">is</span> <span class="n">an</span> <span class="n">admin</span>
+<span class="n">host</span><span class="sr">/www.apache.org/</span><span class="n">apache</span><span class="o">.</span><span class="n">org</span><span class="nv">@APACHE</span><span class="o">.</span><span class="n">ORG</span> <span class="n">A</span> <span class="n">host</span> <span class="n">with</span> <span class="n">two</span> <span class="n">hostnames</span>
+<span class="n">ldap</span><span class="o">/</span><span class="n">www</span><span class="o">.</span><span class="n">apache</span><span class="o">.</span><span class="n">org</span><span class="nv">@APACHE</span><span class="o">.</span><span class="n">ORG</span> <span class="n">A</span> <span class="n">service</span> <span class="p">(</span><span class="n">Ldap</span> <span class="n">server</span><span class="p">)</span>
</pre></div>
Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.3-keys.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.3-keys.html (added)
+++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.3-keys.html Fri Feb 8 17:56:35 2013
@@ -0,0 +1,246 @@
+<!DOCTYPE html>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<html>
+ <head>
+ <title>1.1.3 - Keys — Apache Directory</title>
+
+ <link href="./../../css/common.css" rel="stylesheet" type="text/css">
+ <link href="./../../css/green.css" rel="stylesheet" type="text/css">
+
+
+ <link rel="shortcut icon" href="./../../images/server-icon_16x16.png">
+
+ <!-- Google Analytics -->
+ <script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
+ <script type="text/javascript">
+ _uacct = "UA-1358462-1";
+ urchinTracker();
+ </script>
+ </head>
+ <body>
+ <div id="container">
+ <div id="header">
+ <div id="subProjectsNavBar">
+ <a href="./../../">
+
+ Apache Directory Project
+
+ </a>
+ |
+ <a href="./../../apacheds">
+
+ <STRONG>ApacheDS</STRONG>
+
+ </a>
+ |
+ <a href="./../../studio">
+
+ Apache Directory Studio
+
+ </a>
+ |
+ <a href="./../../api">
+
+ Apache LDAP API
+
+ </a>
+ </div><!-- subProjectsNavBar -->
+ </div><!-- header -->
+ <div id="content">
+ <div id="leftColumn">
+
+<div id="navigation">
+
+ <h5>ApacheDS 2.0</h5>
+ <ul>
+ <li><a href="./../../apacheds/">Home</a></li>
+ <li><a href="./../../apacheds/features.html">Features</a></li>
+ </ul>
+ <h5>Downloads</h5>
+ <ul>
+ <li><a href="./../../apacheds/downloads.html">ApacheDS 2.0.0-M10</a> <img src="./../../images/new_badge.gif" alt="" style="margin-bottom:-3px;" border="0"></li>
+ <li><a href="./../../apacheds/download-old-versions.html">Older versions</a></li>
+ </ul>
+ <h5>Documentation</h5>
+ <ul>
+ <li><a href="./../../apacheds/basic-user-guide.html">Basic User Guide </a></li>
+ <li><a href="./../../apacheds/advanced-user-guide.html">Advanced User Guide</a></li>
+ <li><a href="./../../apacheds/developer-guide.html">Developer Guide</a></li>
+ <li><a href="./../../apacheds/kerberos-user-guide.html">Kerberos User Guide</a></li>
+ <li><a href="./../../apacheds/configuration/ads-2.0-configuration.html">Configuration</a></li>
+ <!--li><a href="./../../apacheds/gen-docs/latest">Generated Reports (e.g. JavaDocs)</a></li-->
+ </ul>
+
+
+ <h5>Support</h5>
+ <ul>
+ <li><a href="./../../mailing-lists-and-irc.html">Mailing Lists & IRC</a></li>
+ <li><a href="./../../sources.html">Sources</a></li>
+ <li><a href="./../../issue-tracking.html">Issue Tracking</a></li>
+ <li><a href="./../../commercial-support.html">Commercial Support</a></li>
+ </ul>
+ <h5>Community</h5>
+ <ul>
+ <li><a href="./../../contribute.html">How to Contribute</a></li>
+ <li><a href="./../../team.html">Team</a></li>
+ <li><a href="./../../original-project-proposal.html">Original Project Proposal</a></li>
+ <li><a href="./../../special-thanks.html" class="external-link" rel="nofollow">Special Thanks</a></li>
+ </ul>
+ <h5>About Apache</h5>
+ <ul>
+ <li><a href="http://www.apache.org/">Apache</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+ <li><a href="http://www.apache.org/security/">Security</a></li>
+ </ul>
+ <a href="http://acna13.eventbrite.com/?ref=ecount"><img src="http://holdenweb.com/static/images/BannerSquareSmall.png" width="168" height="140"></a>
+
+</div><!-- navigation -->
+
+ </div><!-- leftColumn -->
+ <div id="rightColumn">
+
+
+ <div class="nav">
+ <div class="nav_prev">
+
+ <a href="1.1.2-principals.html">1.1.2 - Principals</a>
+
+ </div>
+ <div class="nav_up">
+
+ <a href="1.1-introduction.html">1.1 - Introduction</a>
+
+ </div>
+ <div class="nav_next">
+
+ <a href="1.1.4-kdc.html">1.1.4 - KDC (Key Distribution Center)</a>
+
+ </div>
+ <div class="clearfix"></div>
+ </div>
+
+
+<h1 id="keys">Keys</h1>
+<p>The <strong>Kerberos</strong> server generates keys based on the password we provide. Those keys are stored in the <strong>KDC</strong> and used to encrypt and decrypt the data being exchanged with the client.</p>
+<p>The Key is computed using either the user's password or a random value, and is salted with the realm. </p>
+<p><DIV class="INFO" markdown="1">
+Using the realm as the salt is a protection : if one's key is broken on a realm, that does not mean the password is compromised. The key on another realm would still be safe.
+</DIV></p>
+<h2 id="how-it-works-in-apacheds">How it works in ApacheDS ?</h2>
+<p>When you add a new entry in the server, it generates a secret key using the password and the <strong>Principal</strong> of the added entry. For instance, say we add this entry :</p>
+<div class="codehilite"><pre>dn: uid=hnelson,ou=users,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: krb5principal
+objectClass: krb5kdcentry
+objectClass: top
+uid: hnelson
+userPassword: secret
+krb5PrincipalName: hnelson@EXAMPLE.COM
+krb5KeyVersionNumber: 0
+cn: Horatio Nelson
+sn: Nelson
+</pre></div>
+
+
+<p>the server will compute the krb5key values automatically, and add it the the entry. </p>
+<p><DIV class="INFO" mardown="1">
+There is a special case : if the password is "randomkey", the key will be generated using a random number created on the fly.
+</DIV></p>
+<p><DIV class="INFO" mardown="1">
+Note that we will generate more than one key : we generate one key per configured cipher. </p>
+<p>ApacheDS Kerberos server default set of ciphers is :</p>
+<div class="codehilite"><pre><span class="o">*</span> <span class="n">DES_CBC_MD5</span>
+<span class="o">*</span> <span class="n">DES3_CBC_SHA1_KD</span>
+<span class="o">*</span> <span class="n">RC4_HMAC</span>
+<span class="o">*</span> <span class="n">AES128_CTS_HMAC_SHA1_96</span>
+<span class="o">*</span> <span class="n">AES256_CTS_HMAC_SHA1_96</span>
+</pre></div>
+
+
+<p></DIV></p>
+<p><DIV class="WARN" mardown="1">
+Note that the key generation is an extremely costly operation. If you have many supported ciphers, you will multiply the time it takes to generate the keys by the number of ciphers. It's smart to limit the configured ciphers to the minimal, accordingly to your needs.</p>
+<p>Provisionning thousands of users will inheritently be a slow operation.
+</DIV></p>
+<p>Once the keys have been computed, we modify the entry to inject an ASN.1 BER encoded EncryptionKey instance into it.</p>
+<p>The EncryptionKey structure is the following ASN.1 desciption :</p>
+<div class="codehilite"><pre>EncryptionKey ::= SEQUENCE {
+ keytype [0] Int32 -- actually encryption type --,
+ keyvalue [1] OCTET STRING
+}
+</pre></div>
+
+
+<p>The modified entry will now looks like :</p>
+<div class="codehilite"><pre>dn: uid=hnelson,ou=users,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: krb5principal
+objectClass: krb5kdcentry
+objectClass: top
+uid: hnelson
+userPassword: secret
+krb5PrincipalName: hnelson@EXAMPLE.COM
+krb5KeyVersionNumber: 0
+cn: Horatio Nelson
+sn: Nelson
+krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20 0x3D 0x33 0x31 0x8F 0xBE ...'
+krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0x57 0x07 0xCE 0x29 0x52 ...'
+krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x87 0x8D 0x80 0x14 0x60 ...'
+krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xF4 0xA7 0x13 0x64 0x8A ...'
+krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0xAD 0x21 0x4B 0x38 0xB6 ...'
+</pre></div>
+
+
+<p>Each of these keys match one of the EncryptionType.</p>
+
+
+ <div class="nav">
+ <div class="nav_prev">
+
+ <a href="1.1.2-principals.html">1.1.2 - Principals</a>
+
+ </div>
+ <div class="nav_up">
+
+ <a href="1.1-introduction.html">1.1 - Introduction</a>
+
+ </div>
+ <div class="nav_next">
+
+ <a href="1.1.4-kdc.html">1.1.4 - KDC (Key Distribution Center)</a>
+
+ </div>
+ <div class="clearfix"></div>
+ </div>
+
+
+ </div><!-- rightColumn -->
+ <div id="endContent"></div>
+ </div><!-- content -->
+ <div id="footer">© 2003-2012, <a href="http://www.apache.org">The Apache Software Foundation</a> - <a href="./../../privacy-policy.html">Privacy Policy</a><br />
+ Apache Directory, ApacheDS, Apache Directory Server, Apache Directory Studio, Apache LDAP API, Apache Triplesec, Triplesec, Apache, the Apache feather logo, and the Apache Directory project logos are trademarks of The Apache Software Foundation.
+ </div>
+ </div><!-- container -->
+ </body>
+</html>
\ No newline at end of file