You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by fe...@apache.org on 2010/08/16 11:35:48 UTC
svn commit: r985841 [2/3] - in /directory/sandbox/felixk/apacheds-docs/src:
advanced-user-guide/ advanced-user-guide/data/ advanced-user-guide/images/
main/resources/css/
Added: directory/sandbox/felixk/apacheds-docs/src/advanced-user-guide/chapter-protocol-providers.xml
URL: http://svn.apache.org/viewvc/directory/sandbox/felixk/apacheds-docs/src/advanced-user-guide/chapter-protocol-providers.xml?rev=985841&view=auto
==============================================================================
--- directory/sandbox/felixk/apacheds-docs/src/advanced-user-guide/chapter-protocol-providers.xml (added)
+++ directory/sandbox/felixk/apacheds-docs/src/advanced-user-guide/chapter-protocol-providers.xml Mon Aug 16 09:35:47 2010
@@ -0,0 +1,2988 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under
+ the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may
+ obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to
+ in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+ ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under
+ the License. -->
+<chapter
+ version="5.0"
+ xmlns="http://docbook.org/ns/docbook"
+ xmlns:xlink="http://www.w3.org/1999/xlink"
+ xmlns:xi="http://www.w3.org/2001/XInclude"
+ xmlns:ns5="http://www.w3.org/2000/svg"
+ xmlns:ns4="http://www.w3.org/1998/Math/MathML"
+ xmlns:ns3="http://www.w3.org/1999/xhtml"
+ xml:lang="en">
+ <title>Protocol Providers</title>
+ <section
+ id="Protocol Providers">
+ <title>Protocol Providers</title>
+ <important>
+ <title>Work in progress</title>
+ <para>This site is in the process of being reviewed and updated.</para>
+ </important>
+ <important>
+ <para>You are viewing pre-release documentation that contains changes to configuration that are scheduled for the
+ Apache Directory 1.5.1 release.</para>
+ </important>
+ <section
+ id="Apache Directory Protocol Providers">
+ <title>Apache Directory Protocol Providers</title>
+ <para>The Apache Directory Project's Protocol Providers are Java implementations of standard Internet services.
+ These Protocol Providers, in conjunction with the MINA network layer and the Apache Directory read-optimized
+ backing store, provide easy-to-use yet fully-featured Internet services. As implemented within the Apache
+ Directory, these services benefit from:</para>
+ <itemizedlist>
+ <listitem>
+ <para>Standard directory model and schema support</para>
+ </listitem>
+ <listitem>
+ <para>Standard LDAP data interchange format (LDIF) (RFC 2849)</para>
+ </listitem>
+ <listitem>
+ <para>Optional LDAP management</para>
+ </listitem>
+ <listitem>
+ <para>UDP and TCP Support (MINA)</para>
+ </listitem>
+ <listitem>
+ <para>Easy POJO embeddability for containers such as Geronimo, JBoss, and OSGi</para>
+ </listitem>
+ </itemizedlist>
+ </section>
+ <section
+ id="Service Configuration">
+ <title>Service Configuration</title>
+ <para>
+ All protocol providers are configured in a similar manner. Behind the scenes, all protocol provider
+ Configuration beans inherit from the same ServiceConfiguration and, therefore, they share many of the same
+ configuration parameters. For more information on the service configuration common to all protocol providers,
+ please see
+ <xref
+ linkend="Common Parameters for Configuration" />
+ .
+ </para>
+ </section>
+ <section
+ id="Changes from 1.5 to 1.5.1">
+ <title>Changes from 1.5 to 1.5.1</title>
+ <para>
+ Configuration has been revamped for the 1.5.1 release, along with the addition of SASL support in the LDAP
+ protocol. For more information on changes to configuration, please see
+ <xref
+ linkend="Changes to Configuration" />
+ </para>
+ </section>
+ <section
+ id="Protocol Providers table">
+ <title>Protocol Providers</title>
+ <table
+ id="Protocol Providers table 1">
+ <title>Protocol Providers</title>
+ <tgroup
+ cols="3">
+ <thead>
+ <row>
+ <entry>Name</entry>
+ <entry>Configuration</entry>
+ <entry>Description</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>
+ <xref
+ linkend="LDAP Protocol Provider" />
+ </entry>
+ <entry>
+ <xref
+ linkend="LDAP Protocol Configuration" />
+ </entry>
+ <entry>
+ A Lightweight Directory Access Protocol (LDAP) implementation based on
+ <link
+ xlink:href="http://www.faqs.org/rfcs/rfc2251.html">RFC 2251</link>
+ . Apache LDAP provides lightweight access to the Apache Directory backing store.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <xref
+ linkend="Kerberos Protocol Provider" />
+ </entry>
+ <entry>
+ <xref
+ linkend="Kerberos Protocol Configuration" />
+ </entry>
+ <entry>
+ A Kerberos implementation based on
+ <link
+ xlink:href="http://www.faqs.org/rfcs/rfc1510.html">RFC 1510</link>
+ . Apache Kerberos verifies the identities of principals (users or services) on an unprotected network
+ using principal information stored in the Apache Directory backing store.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <xref
+ linkend="Change Password Protocol Provider" />
+ </entry>
+ <entry>
+ <xref
+ linkend="Change Password Configuration" />
+ </entry>
+ <entry>
+ A Change Password implementation based on
+ <link
+ xlink:href="http://www.faqs.org/rfcs/rfc3244.html">RFC 3244</link>
+ . Apache Change Password uses Kerberos infrastructure to allow users to securely set initial passwords
+ or to change existing passwords stored in the Apache Directory backing store.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <xref
+ linkend="DNS Protocol Provider" />
+ </entry>
+ <entry>
+ <xref
+ linkend="DNS Protocol Configuration" />
+ </entry>
+ <entry>
+ A Domain Name System (DNS) implementation based on
+ <link
+ xlink:href="http://www.faqs.org/rfcs/rfc1034.html">RFC 1034</link>
+ . Apache DNS serves host name to address mappings and other resource record types using resource records
+ stored in the Apache Directory backing store.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <xref
+ linkend="NTP Protocol Provider" />
+ </entry>
+ <entry>
+ <xref
+ linkend="NTP Protocol Configuration" />
+ </entry>
+ <entry>
+ A Network Time Protocol (NTP) implementation based on
+ <link
+ xlink:href="http://www.faqs.org/rfcs/rfc2030.html">RFC 2030</link>
+ . Apache NTP supports time synchronization for LDAP replication and the Kerberos protocol, eliminating
+ the need for external infrastructure.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <xref
+ linkend="DHCP Protocol Provider" />
+ </entry>
+ <entry>n/a</entry>
+ <entry>
+ A Dynamic Host Configuration Protocol (DHCP) implementation based on
+ <link
+ xlink:href="http://www.faqs.org/rfcs/rfc2131.html">RFC 2131</link>
+ . Apache DHCP helps configure hosts using configuration information stored in the Apache Directory
+ backing store.
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </section>
+ </section>
+ <section
+ id="Common Parameters for Configuration">
+ <title>Common Parameters for Configuration</title>
+ <important>
+ <title>Work in progress</title>
+ <para>This site is in the process of being reviewed and updated.</para>
+ </important>
+ <section
+ id="Changes to Configuration">
+ <title>Changes to Configuration</title>
+ <important>
+ <title>Work in progress</title>
+ <para>This site is in the process of being reviewed and updated.</para>
+ </important>
+ <section
+ id="Changes to LDAP configuration in 1.5.1">
+ <title>Changes to LDAP configuration in 1.5.1</title>
+ <para>LDAP and LDAPS now use separate beans for configuration. The only difference is that the use of SSL is
+ determined by parameter 'enabledLdaps'. Both LDAP and LDAPS must support certificate configuration because
+ LDAP may use Start TLS, while LDAPS has SSL enabled "full time." Both LDAP and LDAPS follow parameter naming
+ conventions with all the other protocol providers. So, the former ldapPort is now ipPort and the former
+ ldapsPort is also now ipPort.</para>
+ <para>Also due to the common configuration used by all protocol providers, individual protocols are no longer
+ enabled in MutableServerStartupConfiguration. Instead, individual services are enabled using the parameter
+ 'enabled' on their individual beans.</para>
+ </section>
+ <section
+ id="Changes to the other protocols in 1.5.1">
+ <title>Changes to the other protocols in 1.5.1</title>
+ <para>All protocols except LDAP are disabled by default.</para>
+ <para>The Kerberos protocol provider is no longer configured with a Map of properties. All configuration
+ properties are now available on a bean and configurable using Spring XML.</para>
+ <para>The Change Password protocol provider is no longer configured with a Map of properties. All configuration
+ properties are now available on a bean and configurable using Spring XML.</para>
+ <para>The NTP protocol provider is no longer configured with a Map of properties. All configuration properties
+ are now available on a bean and configurable using Spring XML.</para>
+ <para>DNS has now been enabled in ServerContextFactory. The DNS protocol provider is no longer configured with a
+ Map of properties. All configuration properties are now available on a bean and configurable using Spring XML.
+ </para>
+ </section>
+ </section>
+ <section
+ id="Configuration Parameters Reference">
+ <title>Configuration Parameters Reference</title>
+ <important>
+ <title>Work in progress</title>
+ </important>
+ <para>This page lists all configuration parameters which can be used in conf/server.xml in Version 1.5.1. For a
+ more detailed description look at the corresponding section in the Advanced User's Guide.</para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <xref
+ linkend="Environment parameters" />
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <xref
+ linkend="Protocol providers configuration parameters" />
+ </para>
+ <itemizedlist
+ mark="opencircle">
+ <listitem>
+ <para>
+ <xref
+ linkend="Parameters common to all protocol providers" />
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <xref
+ linkend="LDAP-Specific Configuration Parameters" />
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <xref
+ linkend="Kerberos-Specific Configuration Parameters" />
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <xref
+ linkend="Change Password-Specific Configuration Parameters" />
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <xref
+ linkend="NTP-Specific configuration parameters" />
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <xref
+ linkend="DHCP-Specific configuration parameters" />
+ </para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ <listitem>
+ <para>
+ <xref
+ linkend="Server Startup Configuration" />
+ </para>
+ <itemizedlist
+ mark="opencircle">
+ <listitem>
+ <para>
+ <xref
+ linkend="Replication Startup Configuration" />
+ </para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ <listitem>
+ <para>
+ <xref
+ linkend="Partition Configuration" />
+ </para>
+ </listitem>
+ </itemizedlist>
+ <section
+ id="Environment parameters">
+ <title>Environment parameters</title>
+ <para>
+ Those parameters are loaded in the
+ <emphasis
+ role="bold">org.apache.directory.server.Service.java</emphasis>
+ class, when the server is started, in the init method :
+ </para>
+ <programlisting><![CDATA[
+public void init( InstallationLayout install, String[] args ) throws Exception
+ {
+ ...
+
+ if ( install != null )
+ {
+ log.info( "server: loading settings from ", install.getConfigurationFile() );
+ ...
+ env = ( Properties ) factory.getBean( "environment" );
+ ...
+ ]]></programlisting>
+ <para>They are used everywhere in the server.</para>
+ <para>
+ The "environment" bean is read from the Spring configuration file,
+ <emphasis
+ role="bold">server.xml</emphasis>
+ , shown below :
+ </para>
+ <programlisting><![CDATA[
+<bean id="environment" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
+ <property name="properties">
+ <props>
+ <!-- JNDI security properties used to get initial contexts. -->
+ <prop key="java.naming.security.authentication">simple</prop>
+ <prop key="java.naming.security.principal">uid=admin,ou=system</prop>
+ <prop key="java.naming.security.credentials">secret</prop>
+ <!--
+ <prop key="java.naming.ldap.attributes.binary"></prop>
+ -->
+ </props>
+ </property>
+ </bean>
+ ]]></programlisting>
+ <important>
+ <para>The bean name ("environment") may be renamed to something more explicit, like "serverEnvironment", IMHO
+ </para>
+ </important>
+ <table
+ id="Environment parameters table">
+ <title>Environment parameters</title>
+ <tgroup
+ cols="4">
+ <thead>
+ <row>
+ <entry>Parameter</entry>
+ <entry>Default value</entry>
+ <entry>Description</entry>
+ <entry>Comment</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>java.naming.security.authentication</entry>
+ <entry>simple</entry>
+ <entry>The kind of authentication used for the admin.</entry>
+ <entry>Shouldn't it be SASL now ?</entry>
+ </row>
+ <row>
+ <entry>java.naming.security.principal</entry>
+ <entry>uid=admin,ou=system</entry>
+ <entry>The admin DN</entry>
+ <entry>Can be changed to another DN</entry>
+ </row>
+ <row>
+ <entry>java.naming.security.credentials</entry>
+ <entry>secret</entry>
+ <entry>The principal password</entry>
+ <entry>must be changed at startup!!!</entry>
+ </row>
+ <row>
+ <entry>java.naming.ldap.attributes.binary</entry>
+ <entry>empty</entry>
+ <entry>The list of binary attributes</entry>
+ <entry>
+ In LDAP, only a few AT are declared as binary.<?linebreak?>
+ This is were we should describe the other ones
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ <important>
+ <para>The admin password should be changed when the server is started. A good thing would be that the server
+ cannot start if this password is kept as is.</para>
+ </important>
+ </section>
+ <section
+ id="Protocol providers configuration parameters">
+ <title>Protocol providers</title>
+ <section
+ id="Parameters common to all protocol providers">
+ <title>Parameters common to all protocol providers</title>
+ <para>Since all protocol provider Configuration beans inherit from the same ServiceConfiguration, they share
+ many of the same configuration parameters.</para>
+ <table
+ id="Parameters common to all protocol providers table">
+ <title>Parameters common to all protocol providers</title>
+ <tgroup
+ cols="3">
+ <thead>
+ <row>
+ <entry>Parameter</entry>
+ <entry>Default value</entry>
+ <entry>Description</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>enabled</entry>
+ <entry>false</entry>
+ <entry>Whether this service is enabled.</entry>
+ </row>
+ <row>
+ <entry>ipPort</entry>
+ <entry>No default.</entry>
+ <entry>The IP port for this service.</entry>
+ </row>
+ <row>
+ <entry>ipAddress</entry>
+ <entry>No default.</entry>
+ <entry>The IP address for this service.</entry>
+ </row>
+ <row>
+ <entry>searchBaseDn</entry>
+ <entry>"ou=users,ou=system"</entry>
+ <entry>
+ The single location where users that can be SASL authenticated are stored.
+ <to
+ be
+ clarified>
+ The
+ definition of "entries" depends on the protocol. For example, for LDAP, Kerberos, and Change
+ Password, entries are users for purposes of authentication. For DNS, entries are resource records.
+ If this property is not set the store will search the system partition configuration for catalog
+ entries.
+ <emphasis
+ role="bold">Catalog support is highly experimental and is only tested in the OSGi build of ApacheDS
+ using
+ the Config Admin service</emphasis>.<to
+ be clarified/>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ <warning>
+ <title>recent inclusion</title>
+ <para>This last parameter has been included with the last SASL addition. The description is not giving a lot
+ of information about what is this parameter about, except for SASL authentication. The parameter name is
+ not significant, and another one should be selected, IMHO.</para>
+ <para>Can soemone elaborate what this parameter is about ?</para>
+ </warning>
+ <table
+ id="Parameters common to all protocol providers table 1">
+ <title>Parameters common to all protocol providers 1</title>
+ <tgroup
+ cols="3">
+ <thead>
+ <row>
+ <entry>Parameter</entry>
+ <entry>Default value</entry>
+ <entry>Description</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>initialContextFactory</entry>
+ <entry>"org.apache.directory.server.core.jndi.CoreContextFactory"</entry>
+ <entry>The JNDI initial context factory to use.</entry>
+ </row>
+ <row>
+ <entry>securityAuthentication</entry>
+ <entry>"simple"</entry>
+ <entry>The authentication mechanism to use for establishing a JNDI context.</entry>
+ </row>
+ <row>
+ <entry>securityPrincipal</entry>
+ <entry>"uid=admin,ou=system"</entry>
+ <entry>The principal to use for establishing a JNDI context.</entry>
+ </row>
+ <row>
+ <entry>securityCredentials</entry>
+ <entry>"secret"</entry>
+ <entry>The credentials to use for establishing a JNDI context.</entry>
+ </row>
+ <row>
+ <entry>serviceName</entry>
+ <entry>No default.</entry>
+ <entry>The friendly name of this service.</entry>
+ </row>
+ <row>
+ <entry>servicePid</entry>
+ <entry>No default.</entry>
+ <entry>The PID for this service. A PID is a unique identifier for an instance of a service. PID's are
+ used by OSGi's Config Admin service to dynamically inject configuration into a service when the
+ service is started.</entry>
+ </row>
+ <row>
+ <entry>bufferSize</entry>
+ <entry>No default.</entry>
+ <entry>The MINA buffer size for this service.</entry>
+ </row>
+ <row>
+ <entry>catalogBaseDn</entry>
+ <entry>No default.</entry>
+ <entry>
+ The single location where catalog entries are stored. A catalog entry is a mapping of a realm (or
+ zone for DNS) to a search base DN. If this property is not set the store will expect a single search
+ base DN to be set.
+ <emphasis
+ role="bold">Catalog support is highly experimental and is only tested in the OSGi build of ApacheDS using
+ the Config Admin service.</emphasis>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ <warning>
+ <para>It would be good to have more insight about catalogs.</para>
+ </warning>
+ </section>
+ <section
+ id="LDAP-Specific Configuration Parameters Protocol providers configuration parameters">
+ <title>LDAP-Specific Configuration Parameters</title>
+ <warning>
+ <para>We have had a lot of modification in this part. Some of them are really going in the right direction,
+ some other needs to be tuned.
+ First, all the previous configuration has been moved from the common part to
+ a specific LdapConfiguration part : that
+ is a good move
+ Second, we now have a new configuration called
+ "ldapsConfiguration", but I'm afraid that some informations are missing.
+ Third, I don't know if we should
+ have only one configuration called "ldapConfiguration", or three
+ ("ldapConfiguration", "ldapsConfiguration"
+ and" ldapSASLConfiguration". Atm, we have two.</para>
+ </warning>
+ <para>Here is the latest version of the ldap configuration :</para>
+ <programlisting><![CDATA[
+ <bean id="ldapConfiguration" class="org.apache.directory.server.ldap.LdapConfiguration">
+ <!-- The port to run the LDAP protocol on. -->
+ <property name="ipPort" value="10389" />
+
+ <!-- Whether to allow anonymous access. -->
+ <property name="allowAnonymousAccess" value="false" />
+
+ <!-- The list of supported authentication mechanisms. -->
+ <property name="supportedMechanisms">
+ <list>
+ <value>SIMPLE</value>
+ <value>CRAM-MD5</value>
+ <value>DIGEST-MD5</value>
+ <!--<value>GSSAPI</value>-->
+ </list>
+ </property>
+
+ <!-- The FQDN of this SASL host, validated during SASL negotiation. -->
+ <property name="saslHost" value="ldap.example.com" />
+
+ <!-- The Kerberos principal name for this LDAP service, used by GSSAPI. -->
+ <property name="saslPrincipal" value="ldap/ldap.example.com@EXAMPLE.COM" />
+
+ <!-- The desired quality-of-protection, used by DIGEST-MD5 and GSSAPI. -->
+ <property name="saslQop">
+ <list>
+ <value>auth</value>
+ <value>auth-int</value>
+ <value>auth-conf</value>
+ </list>
+ </property>
+
+ <!-- The realms serviced by this SASL host, used by DIGEST-MD5 and GSSAPI. -->
+ <property name="saslRealms">
+ <list>
+ <value>example.com</value>
+ <value>apache.org</value>
+ </list>
+ </property>
+
+ <!-- The base DN containing users that can be SASL authenticated. -->
+ <property name="searchBaseDn" value="ou=users,ou=system" />
+
+ <!-- SSL CONFIG CAN GO HERE-->
+
+ <!-- limits searches by non-admin users to a max time of 15000 -->
+ <!-- milliseconds and has a default value of 10000 -->
+ <property name="maxTimeLimit" value="15000" />
+
+ <!-- limits searches to max size of 1000 entries: default value is 100 -->
+ <property name="maxSizeLimit" value="1000" />
+
+ <!-- the collection of extended operation handlers to install -->
+ <property name="extendedOperationHandlers">
+ <list>
+ <!--<bean class="org.apache.directory.server.ldap.support.starttls.StartTlsHandler"/>-->
+ <bean class="org.apache.directory.server.ldap.support.extended.GracefulShutdownHandler"/>
+
+ <bean class="org.apache.directory.server.ldap.support.extended.LaunchDiagnosticUiHandler"/>
+ </list>
+ </property>
+ </bean>
+ ]]></programlisting>
+ <table
+ id="LDAP-Specific Configuration Parameters 1 table">
+ <title>LDAP-Specific Configuration Parameters 1</title>
+ <tgroup
+ cols="4">
+ <thead>
+ <row>
+ <entry>Parameter</entry>
+ <entry>Default value</entry>
+ <entry>Description</entry>
+ <entry>Comments</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>ipPort</entry>
+ <entry>10389</entry>
+ <entry>The IP port used by the ldap server</entry>
+ <entry>We are using a port above 1024 to allow non root users to launch the server</entry>
+ </row>
+ <row>
+ <entry>allowAnonymousAccess</entry>
+ <entry>false</entry>
+ <entry>Whether to allow anonymous access</entry>
+ <entry>
+ Was
+ <emphasis
+ role="bold">true</emphasis>
+ in the previous version
+ </entry>
+ </row>
+ <row>
+ <entry>supportedMechanisms</entry>
+ <entry>SIMPLE, CRAM-MD5, DIGEST-MD5</entry>
+ <entry>The supported authentication mechanisms</entry>
+ <entry>The GSSAPI mechanism has been temporarilly disabled</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ <important>
+ <para>We have to figure out if we should reactivate this GSSAPI configuration, or not. Not a simple matter,
+ right now. If SASL is to be moved to another configuration, then maybe it should be activated as a default
+ value. TO BE DISCUSSED...</para>
+ </important>
+ <table
+ id="LDAP-Specific Configuration Parameters 2 table">
+ <title>LDAP-Specific Configuration Parameters 2</title>
+ <tgroup
+ cols="4">
+ <thead>
+ <row>
+ <entry>Parameter</entry>
+ <entry>Default value</entry>
+ <entry>Description</entry>
+ <entry>Comments</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>saslHost</entry>
+ <entry>ldap.example.com</entry>
+ <entry>The name of this host, validated during SASL negotiation.</entry>
+ <entry>The host name must be selected with great caution</entry>
+ </row>
+ <row>
+ <entry>saslPrincipal</entry>
+ <entry>ldap/ldap.example.com@EXAMPLE.COM</entry>
+ <entry>The service principal, used by GSSAPI.</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry>saslQop</entry>
+ <entry>auth, auth-int, auth-conf</entry>
+ <entry>The quality of protection (QoP), used by DIGEST-MD5 and GSSAPI.</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry>saslRealms</entry>
+ <entry>example.com</entry>
+ <entry>The list of realms serviced by this host.</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry>maxSizeLimit</entry>
+ <entry>100</entry>
+ <entry>The maximum size limit.</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry>maxTimeLimit</entry>
+ <entry>10000</entry>
+ <entry>The maximum time limit.</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry>enableLdaps</entry>
+ <entry>false</entry>
+ <entry>Whether LDAPS is enabled.</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry>ldapsCertificateFile</entry>
+ <entry>server-work/certificates/server.cert</entry>
+ <entry>The path to the certificate file.</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry>ldapsCertificatePassword</entry>
+ <entry>changeit</entry>
+ <entry>The certificate password.</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry>extendedOperationHandlers</entry>
+ <entry>No default.</entry>
+ <entry>The extended operation handlers.</entry>
+ <entry></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </section>
+ <section
+ id="Kerberos-Specific Configuration Parameters">
+ <title>Kerberos-Specific Configuration Parameters</title>
+ <programlisting><![CDATA[
+<bean id="kdcConfiguration" class="org.apache.directory.server.kerberos.kdc.KdcConfiguration">
+ <!-- Whether to enable the Kerberos protocol. -->
+ <property name="enabled" value="false" />
+ <!-- The port to run the Kerberos protocol on. -->
+ <property name="ipPort" value="88" />
+</bean>
+ ]]></programlisting>
+ <table
+ id="Kerberos-Specific Configuration Parameters table">
+ <title>Kerberos-Specific Configuration Parameters</title>
+ <tgroup
+ cols="3">
+ <thead>
+ <row>
+ <entry>Parameter</entry>
+ <entry>Default value</entry>
+ <entry>Description</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>encryptionTypes</entry>
+ <entry>des-cbc-md5</entry>
+ <entry>The encryption types.</entry>
+ </row>
+ <row>
+ <entry>primaryRealm</entry>
+ <entry>EXAMPLE.COM</entry>
+ <entry>The primary realm.</entry>
+ </row>
+ <row>
+ <entry>servicePrincipal</entry>
+ <entry>krbtgt/EXAMPLE.COM@EXAMPLE.COM</entry>
+ <entry>The service principal name.</entry>
+ </row>
+ <row>
+ <entry>allowableClockSkew</entry>
+ <entry>5 minutes</entry>
+ <entry>The allowable clock skew.</entry>
+ </row>
+ <row>
+ <entry>paEncTimestampRequired</entry>
+ <entry>true</entry>
+ <entry>Whether pre-authentication by encrypted timestamp is required.</entry>
+ </row>
+ <row>
+ <entry>maximumTicketLifetime</entry>
+ <entry>1440 (24 hours)</entry>
+ <entry>The maximum ticket lifetime.</entry>
+ </row>
+ <row>
+ <entry>maximumRenewableLifetime</entry>
+ <entry>10080 (1 week)</entry>
+ <entry>The maximum renewable lifetime.</entry>
+ </row>
+ <row>
+ <entry>emptyAddressesAllowed</entry>
+ <entry>true</entry>
+ <entry>Whether ticket issuance for empty Host Addresses is allowed.</entry>
+ </row>
+ <row>
+ <entry>forwardableAllowed</entry>
+ <entry>true</entry>
+ <entry>Whether forwardable tickets are allowed.</entry>
+ </row>
+ <row>
+ <entry>proxiableAllowed</entry>
+ <entry>true</entry>
+ <entry>Whether proxiable tickets are allowed.</entry>
+ </row>
+ <row>
+ <entry>postdateAllowed</entry>
+ <entry>true</entry>
+ <entry>Whether postdated tickets are allowed.</entry>
+ </row>
+ <row>
+ <entry>renewableAllowed</entry>
+ <entry>true</entry>
+ <entry>Whether renewable tickets are allowed.</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </section>
+ <section
+ id="Change Password-Specific Configuration Parameters">
+ <title>Change Password-Specific Configuration Parameters</title>
+ <programlisting><![CDATA[
+<bean id="changePasswordConfiguration" class="org.apache.directory.server.changepw.ChangePasswordConfiguration">
+ <!-- Whether to enable the Change Password protocol. -->
+ <property name="enabled" value="false" />
+ <!-- The port to run the Change Password protocol on. -->
+ <property name="ipPort" value="464" />
+</bean>
+ ]]></programlisting>
+ <table
+ id="Change Password-Specific Configuration Parameters table">
+ <title>Change Password-Specific Configuration Parameters</title>
+ <tgroup
+ cols="3">
+ <thead>
+ <row>
+ <entry>Parameter</entry>
+ <entry>Default value</entry>
+ <entry>Description</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>encryptionTypes</entry>
+ <entry>des-cbc-md5</entry>
+ <entry>The encryption types.</entry>
+ </row>
+ <row>
+ <entry>primaryRealm</entry>
+ <entry>EXAMPLE.COM</entry>
+ <entry>The primary realm.</entry>
+ </row>
+ <row>
+ <entry>servicePrincipal</entry>
+ <entry>kadmin/changepw@EXAMPLE.COM</entry>
+ <entry>The service principal name.</entry>
+ </row>
+ <row>
+ <entry>allowableClockSkew</entry>
+ <entry>5 minutes</entry>
+ <entry>The allowable clock skew.</entry>
+ </row>
+ <row>
+ <entry>emptyAddressesAllowed</entry>
+ <entry>true</entry>
+ <entry>Whether tickets issued with empty Host Addresses are allowed.</entry>
+ </row>
+ <row>
+ <entry>policyPasswordLength</entry>
+ <entry>6 characters</entry>
+ <entry>The policy for minimum password length.</entry>
+ </row>
+ <row>
+ <entry>policyCategoryCount</entry>
+ <entry>3 (out of 4)</entry>
+ <entry>The policy for number of character categories required (A - Z), (a - z), (0 - 9),
+ non-alphanumeric (!, $, #, %, ... ).</entry>
+ </row>
+ <row>
+ <entry>policyTokenSize</entry>
+ <entry>3 characters</entry>
+ <entry>The policy for minimum token size. Passwords must not contain tokens larger than
+ 'policyTokenSize' that occur in the user's principal name.</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </section>
+ <section
+ id="NTP-Specific configuration parameters">
+ <title>NTP-Specific configuration parameters</title>
+ <para>The NTP parameters are very limited :</para>
+ <programlisting><![CDATA[
+<bean id="ntpConfiguration" class="org.apache.directory.server.ntp.NtpConfiguration">
+ <!-- Whether to enable the NTP protocol. -->
+ <property name="enabled" value="true" />
+
+ <!-- The port to run the NTP protocol on. -->
+ <property name="ipPort" value="123" />
+</bean>
+ ]]></programlisting>
+ <para>Here is the table containing the default configuration :</para>
+ <table
+ id="NTP-Specific configuration parameters table">
+ <title>NTP-Specific configuration parameters</title>
+ <tgroup
+ cols="4">
+ <thead>
+ <row>
+ <entry>Parameter</entry>
+ <entry>Default value</entry>
+ <entry>Description</entry>
+ <entry>Comments</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>enabled</entry>
+ <entry>true</entry>
+ <entry>Tells if the service is on or off</entry>
+ <entry>Should be OFF by default</entry>
+ </row>
+ <row>
+ <entry>ipPort</entry>
+ <entry>123</entry>
+ <entry>The default port</entry>
+ <entry></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ <important>
+ <para>Just wanted to know if the UDP and TCP should be enabled or if the server just accept TCP ?</para>
+ </important>
+ </section>
+ <section
+ id="DHCP-Specific configuration parameters">
+ <title>DHCP-Specific configuration parameters</title>
+ <para>There is no description about DHCP parameters atm.</para>
+ </section>
+ </section>
+ <section
+ id="Server Startup Configuration">
+ <title>Server Startup Configuration</title>
+ <section
+ id="Replication Startup Configuration">
+ <title>Replication</title>
+ <programlisting><![CDATA[
+<bean class="org.apache.directory.server.core.configuration.MutableInterceptorConfiguration">
+ <property name="name" value="replicationService" />
+ <property name="interceptor">
+ <bean class="org.apache.directory.mitosis.service.ReplicationService">
+ <property name="configuration">
+ <bean class="org.apache.directory.mitosis.configuration.ReplicationConfiguration">
+ <property name="replicaId">
+ <bean class="org.apache.directory.mitosis.common.ReplicaId">
+ <constructor-arg>
+ <value>instance_a</value>
+ </constructor-arg>
+ </bean>
+ </property>
+ <property name="serverPort" value="10390" />
+ <property name="peerReplicas" value="instance_b@localhost:10392" />
+ </bean>
+ </property>
+ </bean>
+ </property>
+</bean>
+ ]]></programlisting>
+ <table
+ id="Replication Startup Configuration table">
+ <title>Replication Startup Configuration</title>
+ <tgroup
+ cols="4">
+ <thead>
+ <row>
+ <entry>Parameter</entry>
+ <entry>Default value</entry>
+ <entry>Description</entry>
+ <entry>Comments</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry></entry>
+ <entry></entry>
+ <entry></entry>
+ <entry></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </section>
+ </section>
+ <section
+ id="Partition Configuration">
+ <title>Partition Configuration</title>
+ <para>TODO ???</para>
+ </section>
+ </section>
+ </section>
+ <section
+ id="LDAP Protocol Provider">
+ <title>LDAP Protocol Provider</title>
+ <important>
+ <title>Work in progress</title>
+ <para>This site is in the process of being reviewed and updated.</para>
+ </important>
+ <important>
+ <para>LDAP Protocol configuration is currently being revamped in the SASL branch, as part of making SASL
+ configurable.</para>
+ </important>
+ <section
+ id="Before LDAP Protocol Provider">
+ <title>Before</title>
+ <para>Previously, LDAP protocol configuration existed in the MutableServerStartupConfiguration, along with Core
+ and Partition configuration.</para>
+ <programlisting><![CDATA[
+ <bean id="configuration" class="org.apache.directory.server.configuration.MutableServerStartupConfiguration">
+ <property name="ldapPort" value="389" />
+ <property name="allowAnonymousAccess" value="false" />
+
+ <!-- limits searches by non-admin users to a max time of 15000 -->
+ <!-- milliseconds and has a default value of 10000 -->
+ <property name="maxTimeLimit" value="15000" />
+
+ <!-- limits searches to max size of 1000 entries: default value is 100 -->
+ <property name="maxSizeLimit" value="1000" />
+
+ <property name="extendedOperationHandlers">
+ <list>
+ <bean class="org.apache.directory.server.ldap.support.starttls.StartTlsHandler"/>
+ <bean class="org.apache.directory.server.ldap.support.extended.GracefulShutdownHandler"/>
+ <bean class="org.apache.directory.server.ldap.support.extended.LaunchDiagnosticUiHandler"/>
+ </list>
+ </property>
+ </bean>
+ ]]></programlisting>
+ </section>
+ <section
+ id="After LDAP Protocol Provider">
+ <title>After</title>
+ <para>At the same time as the addition of numerous configuration parameters for SASL, LDAP protocol configuration
+ has all moved to an LdapConfiguration bean.</para>
+ <programlisting><![CDATA[
+ <bean id="ldapConfiguration" class="org.apache.directory.server.ldap.LdapConfiguration">
+ <!-- The port to run the LDAP protocol on. -->
+ <property name="ipPort" value="389" />
+ <!-- Whether to allow anonymous access. -->
+ <property name="allowAnonymousAccess" value="true" />
+
+ <!-- BEGIN NEW SASL CONFIG -->
+
+ <!-- The list of supported authentication mechanisms. -->
+ <property name="supportedMechanisms">
+ <list>
+ <value>SIMPLE</value>
+ <value>CRAM-MD5</value>
+ <value>DIGEST-MD5</value>
+ <value>GSSAPI</value>
+ </list>
+ </property>
+
+ <!-- The FQDN of this SASL host, validated during SASL negotiation. -->
+ <property name="saslHost" value="ldap.example.com" />
+
+ <!-- The Kerberos principal name for this LDAP service, used by GSSAPI. -->
+ <property name="saslPrincipal" value="ldap/ldap.example.com@EXAMPLE.COM" />
+
+ <!-- The desired quality-of-protection, used by DIGEST-MD5 and GSSAPI. -->
+ <property name="saslQop">
+ <list>
+ <value>auth</value>
+ <value>auth-int</value>
+ <value>auth-conf</value>
+ </list>
+ </property>
+
+ <!-- The realms serviced by this SASL host, used by DIGEST-MD5 and GSSAPI. -->
+ <property name="saslRealms">
+ <list>
+ <value>example.com</value>
+ <value>apache.org</value>
+ </list>
+ </property>
+
+ <!-- The base DN containing users that can be SASL authenticated. -->
+ <property name="searchBaseDn" value="ou=users,dc=example,dc=com" />
+
+ <!-- END NEW SASL CONFIG -->
+
+ <!-- SSL CONFIG CAN GO HERE-->
+
+ <!-- limits searches by non-admin users to a max time of 15000 -->
+ <!-- milliseconds and has a default value of 10000 -->
+ <property name="maxTimeLimit" value="15000" />
+ <!-- limits searches to max size of 1000 entries: default value is 100 -->
+ <property name="maxSizeLimit" value="1000" />
+ <!-- the collection of extended operation handlers to install -->
+ <property name="extendedOperationHandlers">
+ <list>
+ <bean class="org.apache.directory.server.ldap.support.starttls.StartTlsHandler"/>
+ <bean class="org.apache.directory.server.ldap.support.extended.GracefulShutdownHandler"/>
+ <bean class="org.apache.directory.server.ldap.support.extended.LaunchDiagnosticUiHandler"/>
+ </list>
+ </property>
+ </bean>
+ ]]></programlisting>
+ <para>The LdapConfiguration bean is subordinate to the MutableServerStartupConfiguration.</para>
+ <programlisting><![CDATA[
+<bean id="configuration" class="org.apache.directory.server.configuration.MutableServerStartupConfiguration">
+ ...
+ <property name="ldapConfiguration" ref="ldapConfiguration" />
+ ...
+</bean>
+ ]]></programlisting>
+ </section>
+ <section
+ id="Common Service Configuration Parameters">
+ <title>Common Service Configuration Parameters</title>
+ <table
+ id="Common Service Configuration Parameters table">
+ <title>Common Service Configuration Parameters</title>
+ <tgroup
+ cols="3">
+ <thead>
+ <row>
+ <entry>Parameter</entry>
+ <entry>Default value</entry>
+ <entry>Description</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>enabled</entry>
+ <entry>true</entry>
+ <entry>Whether this service is enabled.</entry>
+ </row>
+ <row>
+ <entry>ipPort</entry>
+ <entry>389</entry>
+ <entry>The IP port for this service.</entry>
+ </row>
+ <row>
+ <entry>ipAddress</entry>
+ <entry>No default.</entry>
+ <entry>The IP address for this service.</entry>
+ </row>
+ <row>
+ <entry>searchBaseDn</entry>
+ <entry>"ou=users,dc=example,dc=com"</entry>
+ <entry>
+ The single location where users are stored. If this property is not set the store will search the system
+ partition configuration for catalog entries.
+ <emphasis
+ role="bold">Catalog support is highly experimental and is only tested in the OSGi build of ApacheDS using the
+ Config Admin service.</emphasis>
+ </entry>
+ </row>
+ <row>
+ <entry>initialContextFactory</entry>
+ <entry>"org.apache.directory.server.core.jndi.CoreContextFactory"</entry>
+ <entry>The JNDI initial context factory to use.</entry>
+ </row>
+ <row>
+ <entry>securityAuthentication</entry>
+ <entry>"simple"</entry>
+ <entry>The authentication mechanism to use for establishing a JNDI context.</entry>
+ </row>
+ <row>
+ <entry>securityPrincipal</entry>
+ <entry>"uid=admin,ou=system"</entry>
+ <entry>The principal to use for establishing a JNDI context.</entry>
+ </row>
+ <row>
+ <entry>securityCredentials</entry>
+ <entry>secret</entry>
+ <entry>The credentials to use for establishing a JNDI context.</entry>
+ </row>
+ <row>
+ <entry>serviceName</entry>
+ <entry>Apache LDAP Service</entry>
+ <entry>The friendly name of this service.</entry>
+ </row>
+ <row>
+ <entry>servicePid</entry>
+ <entry>org.apache.directory.server.ldap</entry>
+ <entry>The PID for this service. A PID is a unique identifier for an instance of a service. PID's are used
+ by OSGi's Config Admin service to dynamically inject configuration into a service when the service is
+ started.</entry>
+ </row>
+ <row>
+ <entry>catalogBaseDn</entry>
+ <entry>No default.</entry>
+ <entry>
+ The single location where catalog entries are stored. A catalog entry is a mapping of a realm (or zone
+ for DNS) to a search base DN. If this property is not set the store will expect a single search base DN
+ to be set.
+ <emphasis
+ role="bold">Catalog support is highly experimental and is only tested in the OSGi build of ApacheDS using the
+ Config Admin service.</emphasis>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </section>
+ <section
+ id="LDAP-Specific Configuration Parameters">
+ <title>LDAP-Specific Configuration Parameters</title>
+ <table
+ id="LDAP-Specific Configuration Parameters table">
+ <title>LDAP-Specific Configuration Parameters</title>
+ <tgroup
+ cols="3">
+ <thead>
+ <row>
+ <entry>Parameter</entry>
+ <entry>Default value</entry>
+ <entry>Description</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>allowAnonymousAccess</entry>
+ <entry>true</entry>
+ <entry>Whether to allow anonymous access.</entry>
+ </row>
+ <row>
+ <entry>maxSizeLimit</entry>
+ <entry>100</entry>
+ <entry>The maximum size limit.</entry>
+ </row>
+ <row>
+ <entry>maxTimeLimit</entry>
+ <entry>10000</entry>
+ <entry>The maximum time limit.</entry>
+ </row>
+ <row>
+ <entry>enableLdaps</entry>
+ <entry>false</entry>
+ <entry>Whether LDAPS is enabled.</entry>
+ </row>
+ <row>
+ <entry>ldapsCertificateFile</entry>
+ <entry>server-work/certificates/server.cert</entry>
+ <entry>The path to the certificate file.</entry>
+ </row>
+ <row>
+ <entry>ldapsCertificatePassword</entry>
+ <entry>changeit</entry>
+ <entry>The certificate password.</entry>
+ </row>
+ <row>
+ <entry>extendedOperationHandlers</entry>
+ <entry>No default.</entry>
+ <entry>The extended operation handlers.</entry>
+ </row>
+ <row>
+ <entry>supportedMechanisms</entry>
+ <entry>SIMPLE, CRAM-MD5, DIGEST-MD5, GSSAPI</entry>
+ <entry>The supported authentication mechanisms.</entry>
+ </row>
+ <row>
+ <entry>saslHost</entry>
+ <entry>ldap.example.com</entry>
+ <entry>The name of this host, validated during SASL negotiation.</entry>
+ </row>
+ <row>
+ <entry>saslPrincipal</entry>
+ <entry>ldap/ldap.example.com@EXAMPLE.COM</entry>
+ <entry>The service principal, used by GSSAPI.</entry>
+ </row>
+ <row>
+ <entry>saslQop</entry>
+ <entry>auth, auth-int, auth-conf</entry>
+ <entry>The quality of protection (QoP), used by DIGEST-MD5 and GSSAPI.</entry>
+ </row>
+ <row>
+ <entry>saslRealms</entry>
+ <entry>example.com</entry>
+ <entry>The list of realms serviced by this host.</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </section>
+ <section
+ id="More Information">
+ <title>More Information</title>
+ <para>
+ For help with more advanced configurations, check out our
+ <link
+ xlink:href="http://cwiki.apache.org/confluence/pages/viewpage.action?spaceKey=DIRxSRVx10&title=Interoperability">Interoperability Guide</link>
+ .
+ </para>
+ </section>
+ </section>
+ <section
+ id="Kerberos Protocol Provider">
+ <title>Kerberos Protocol Provider</title>
+ <important>
+ <title>Work in progress</title>
+ <para>This site is in the process of being reviewed and updated.</para>
+ </important>
+ <itemizedlist>
+ <listitem>
+ <xref
+ linkend="Kerberos Protocol Configuration " />
+ </listitem>
+ <listitem>
+ <xref
+ linkend="Kerberos and Unlimited Strength Policy" />
+ </listitem>
+ <listitem>
+ <xref
+ linkend="Kerberos in ApacheDS 1.5.5" />
+ </listitem>
+ </itemizedlist>
+ <section
+ id="Introduction Kerberos Protocol Provider">
+ <title>Introduction</title>
+ <para>
+ The Kerberos provider for Apache Directory implements
+ <link
+ xlink:href="http://www.ietf.org/rfc/rfc1510.txt">RFC 1510</link>
+ , the Kerberos V5 Network Authentication
+ Service. The purpose of Kerberos is to verify the identities of
+ principals (users or services) on an unprotected
+ network. While generally thought of as a single-sign-on
+ technology, Kerberos' true strength is in authenticating
+ users without ever sending their password over the
+ network. Kerberos is designed for use on open (untrusted)
+ networks and, therefore, operates under the assumption
+ that packets traveling along the network can be read,
+ modified, and inserted at will.
+ <link
+ xlink:href="http://www.computerworld.com/computerworld/records/images/pdf/kerberos_chart.pdf">This chart</link>
+ provides a good
+ description of the protocol workflow.
+ </para>
+ <para>Kerberos is named for the three-headed dog that guards the gates to Hades. The three heads are the client,
+ the Kerberos server, and the network service being accessed.</para>
+ <para>The Apache Directory Kerberos provider is implemented as a protocol-provider plugin. As a plugin, the
+ Kerberos provider leverages Apache Directory's MINA for front-end services and the Apache Directory
+ read-optimized backing store via JNDI for persistent directory services.</para>
+ <para>The Kerberos provider for Apache Directory, in conjunction with MINA and the Apache Directory store,
+ provides an easy-to-use yet fully-featured network authentication service. As implemented within the Apache
+ Directory, the Kerberos provder will provide:</para>
+ <itemizedlist>
+ <listitem>
+ <para>Authentication service (RFC 1510)</para>
+ </listitem>
+ <listitem>
+ <para>Ticket-granting service (RFC 1510)</para>
+ </listitem>
+ <listitem>
+ <para>Pre-authentication support (RFC 1510)</para>
+ </listitem>
+ <listitem>
+ <para>DES encryption systems (RFC 1510)</para>
+ </listitem>
+ <listitem>
+ <para>Triple-DES (DES3) encryption systems</para>
+ </listitem>
+ <listitem>
+ <para>UDP and TCP Support (MINA)</para>
+ </listitem>
+ <listitem>
+ <para>Easy POJO embeddability for containers such as Geronimo, JBoss, and OSGi</para>
+ </listitem>
+ </itemizedlist>
+ </section>
+ <section
+ id="More Information Kerberos Protocol Provider">
+ <title>More Information</title>
+ <para>
+ For help with Kerberos client configurations, check out our
+ <link
+ xlink:href="http://cwiki.apache.org/DIRxINTEROP">Interoperability Guide</link>
+ .
+ </para>
+ </section>
+ <section
+ id="Resources Kerberos Protocol Provider">
+ <title>Resources</title>
+ <section
+ id="Kerberos Articles">
+ <title>Kerberos Articles</title>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <link
+ xlink:href="http://www.linuxjournal.com/article/7336">Centralized Authentication with Kerberos 5, Part I</link>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link
+ xlink:href="http://www.linuxjournal.com/article/7334">Centralized Authorization Using a Directory Service, Part II</link>
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+ <section
+ id="Microsoft Interoperability">
+ <title>Microsoft Interoperability</title>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <link
+ xlink:href="http://msdn.microsoft.com/library/default.asp?url=%2Flibrary%2Fen-us%2Fdnsecure%2Fhtml%2Fhttp-sso-2.asp">HTTP-Based Cross-Platform Authentication via the Negotiate Protocol</link>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link
+ xlink:href="RFC 2478 - The Simple and Protected GSS-API Negotiation Mechanism">RFC 2478 - The Simple and Protected GSS-API Negotiation Mechanism</link>
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+ <section
+ id="Standards">
+ <title>Standards</title>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <link
+ xlink:href="http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-crypto-07.txt">Encryption and Checksum Specifications for Kerberos 5</link>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link
+ xlink:href="http://mirrors.isc.org/pub/www.watersprings.org/pub/id/draft-ietf-cat-kerb-key-derivation-00.txt">Key Derivation for Kerberos V5</link>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link
+ xlink:href="http://mirrors.isc.org/pub/www.watersprings.org/pub/id/draft-horowitz-key-derivation-00.txt">Key Derivation for Authentication, Integrity, and Privacy</link>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link
+ xlink:href="http://www.faqs.org/rfcs/rfc1510.html">RFC 1510 - The Kerberos Network Authentication Service (V5)</link>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link
+ xlink:href="http://www.faqs.org/rfcs/rfc1964.html">RFC 1964 - The Kerberos Version 5 GSS-API Mechanism</link>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link
+ xlink:href="http://www-106.ibm.com/developerworks/java/library/j-gss-sso/">Simplify enterprise Java authentication with single sign-on</link>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link
+ xlink:href="http://www-106.ibm.com/developerworks/wireless/library/wi-kerberos/">Lock down J2ME applications with Kerberos, Part 1: Introducing Kerberos data formats</link>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link
+ xlink:href="http://www-106.ibm.com/developerworks/wireless/library/wi-kerberos2.html">Lock down J2ME applications with Kerberos, Part 2: Authoring a request for a Kerberos ticket
+ </link>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link
+ xlink:href="http://www-106.ibm.com/developerworks/wireless/library/wi-kerberos3/">Lock down J2ME applications with Kerberos, Part 3: Establish secure communication with an
+ e-bank</link>
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+ </section>
+ <section
+ id="Kerberos Protocol Configuration">
+ <title>Kerberos Protocol Configuration</title>
+ <important>
+ <title>Work in progress</title>
+ <para>This site is in the process of being reviewed and updated.</para>
+ </important>
+ <section
+ id="Before Kerberos Protocol Configuration">
+ <title>Before</title>
+ <para>Previously, Kerberos protocol configuration existed in a PropertiesFactoryBean, along with JNDI
+ environment properties.</para>
+ <programlisting><![CDATA[
+<bean id="environment" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
+ <property name="properties">
+ <props>
+ <prop key="java.naming.security.authentication">simple</prop>
+ <prop key="java.naming.security.principal">uid=admin,ou=system</prop>
+ <prop key="java.naming.security.credentials">secret</prop>
+ <prop key="kdc.entryBaseDn">ou=users,dc=example,dc=com</prop>
+ <prop key="kdc.java.naming.security.credentials">secret</prop>
+ </props>
+ </property>
+</bean>
+ ]]></programlisting>
+ </section>
+ <section
+ id="After Kerberos Protocol Configuration">
+ <title>After</title>
+ <para>At the same time as the addition of numerous configuration parameters for SASL to the LDAP protocol,
+ Kerberos configuration has all moved to a KdcConfiguration bean.</para>
+ <programlisting><![CDATA[
+<bean id="kdcConfiguration" class="org.apache.directory.server.kerberos.kdc.KdcConfiguration">
+ <!-- The port to run the Kerberos protocol on. -->
+ <property name="ipPort" value="88" />
+</bean>
+ ]]></programlisting>
+ <para>The KdcConfiguration bean is subordinate to the MutableServerStartupConfiguration.</para>
+ <programlisting><![CDATA[
+<bean id="configuration" class="org.apache.directory.server.configuration.MutableServerStartupConfiguration">
+ ...
+ <property name="kdcConfiguration" ref="kdcConfiguration" />
+ ...
+</bean>
+ ]]></programlisting>
+ </section>
+ <section
+ id="Common Service Configuration Parameters Kerberos Protocol Configuration">
+ <title>Common Service Configuration Parameters</title>
+ <table
+ id="table Common Service Configuration Parameters Kerberos Protocol Configuration">
+ <title>Common Service Configuration Parameters</title>
+ <tgroup
+ cols="3">
+ <thead>
+ <row>
+ <entry>Parameter</entry>
+ <entry>Default value</entry>
+ <entry>Description</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>enabled</entry>
+ <entry>false</entry>
+ <entry>Whether this service is enabled.</entry>
+ </row>
+ <row>
+ <entry>ipPort</entry>
+ <entry>88</entry>
+ <entry>The IP port for this service.</entry>
+ </row>
+ <row>
+ <entry>ipAddress</entry>
+ <entry>No default.</entry>
+ <entry>The IP address for this service.</entry>
+ </row>
+ <row>
+ <entry>searchBaseDn</entry>
+ <entry>"ou=users,dc=example,dc=com"</entry>
+ <entry>
+ The single location where principals are stored. If this property is not set the store will search the
+ system partition configuration for catalog entries.
+ <emphasis
+ role="bold">Catalog support is highly experimental and is only tested in the OSGi build of ApacheDS using
+ the Config Admin service.</emphasis>
+ </entry>
+ </row>
+ <row>
+ <entry>initialContextFactory</entry>
+ <entry>"org.apache.directory.server.core.jndi.CoreContextFactory"</entry>
+ <entry>The JNDI initial context factory to use.</entry>
+ </row>
+ <row>
+ <entry>securityAuthentication</entry>
+ <entry>"simple"</entry>
+ <entry>The authentication mechanism to use for establishing a JNDI context.</entry>
+ </row>
+ <row>
+ <entry>securityPrincipal</entry>
+ <entry>"uid=admin,ou=system"</entry>
+ <entry>The principal to use for establishing a JNDI context.</entry>
+ </row>
+ <row>
+ <entry>securityCredentials</entry>
+ <entry>"secret"</entry>
+ <entry>The credentials to use for establishing a JNDI context.</entry>
+ </row>
+ <row>
+ <entry>serviceName</entry>
+ <entry>Apache Kerberos Service</entry>
+ <entry>The friendly name of this service.</entry>
+ </row>
+ <row>
+ <entry>servicePid</entry>
+ <entry>org.apache.kerberos</entry>
+ <entry>The PID for this service. A PID is a unique identifier for an instance of a service. PID's are
+ used by OSGi's Config Admin service to dynamically inject configuration into a service when the
+ service is started.</entry>
+ </row>
+ <row>
+ <entry>catalogBaseDn</entry>
+ <entry>No default.</entry>
+ <entry>
+ The single location where catalog entries are stored. A catalog entry is a mapping of a realm (or zone
+ for DNS) to a search base DN. If this property is not set the store will expect a single search base
+ DN to be set.
+ <emphasis
+ role="bold">Catalog support is highly experimental and is only tested in the OSGi build of ApacheDS using
+ the Config Admin service.</emphasis>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </section>
+ <section
+ id="Kerberos-Specific Configuration Parameters Kerberos Protocol Configuration">
+ <title>Kerberos-Specific Configuration Parameters</title>
+ <table
+ id="table Kerberos Protocol Configuration Kerberos-Specific Configuration Parameters">
+ <title>Kerberos-Specific Configuration Parameters</title>
+ <tgroup
+ cols="3">
+ <thead>
+ <row>
+ <entry>Parameter</entry>
+ <entry>Default value</entry>
+ <entry>Description</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>encryptionTypes</entry>
+ <entry>des-cbc-md5</entry>
+ <entry>The encryption types.</entry>
+ </row>
+ <row>
+ <entry>primaryRealm</entry>
+ <entry>EXAMPLE.COM</entry>
+ <entry>The primary realm.</entry>
+ </row>
+ <row>
+ <entry>servicePrincipal</entry>
+ <entry>krbtgt/EXAMPLE.COM@EXAMPLE.COM</entry>
+ <entry>The service principal name.</entry>
+ </row>
+ <row>
+ <entry>allowableClockSkew</entry>
+ <entry>5 minutes</entry>
+ <entry>The allowable clock skew.</entry>
+ </row>
+ <row>
+ <entry>paEncTimestampRequired</entry>
+ <entry>true</entry>
+ <entry>Whether pre-authentication by encrypted timestamp is required.</entry>
+ </row>
+ <row>
+ <entry>maximumTicketLifetime</entry>
+ <entry>1440 (24 hours)</entry>
+ <entry>The maximum ticket lifetime.</entry>
+ </row>
+ <row>
+ <entry>maximumRenewableLifetime</entry>
+ <entry>10080 (1 week)</entry>
+ <entry>The maximum renewable lifetime.</entry>
+ </row>
+ <row>
+ <entry>emptyAddressesAllowed</entry>
+ <entry>true</entry>
+ <entry>Whether ticket issuance for empty Host Addresses is allowed.</entry>
+ </row>
+ <row>
+ <entry>forwardableAllowed</entry>
+ <entry>true</entry>
+ <entry>Whether forwardable tickets are allowed.</entry>
+ </row>
+ <row>
+ <entry>proxiableAllowed</entry>
+ <entry>true</entry>
+ <entry>Whether proxiable tickets are allowed.</entry>
+ </row>
+ <row>
+ <entry>postdateAllowed</entry>
+ <entry>true</entry>
+ <entry>Whether postdated tickets are allowed.</entry>
+ </row>
+ <row>
+ <entry>renewableAllowed</entry>
+ <entry>true</entry>
+ <entry>Whether renewable tickets are allowed.</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </section>
+ <section
+ id="More Information Kerberos Protocol Configuration">
+ <title>More Information</title>
+ <para>
+ For help with more advanced configurations, check out our
+ <link
+ xlink:href="http://cwiki.apache.org/DIRxINTEROP">Interoperability Guide</link>
+ .
+ </para>
+ </section>
+ </section>
+ <section
+ id="Kerberos and Unlimited Strength Policy">
+ <title>Kerberos and Unlimited Strength Policy</title>
+ <important>
+ <title>Work in progress</title>
+ <para>This site is in the process of being reviewed and updated.</para>
+ </important>
+ <section
+ id="Introduction Kerberos and Unlimited Strength Policy">
+ <title>Introduction</title>
+ <para>Due to export control restrictions, JDK 5.0 environments do not ship with support for AES-256 enabled.
+ Kerberos uses AES-256 in the 'aes256-cts-hmac-sha1-96' encryption type. To enable AES-256, you must download
+ "unlimited strength" policy JAR files for your JRE. Policy JAR files are signed by the JRE vendor so you
+ must
+ download policy JAR files for Sun, IBM, etc. separately. Also, policy files may be different for each
+ platform, such as i386, Solaris, or HP.</para>
+ </section>
+ <section
+ id="Installation Kerberos and Unlimited Strength Policy">
+ <title>Installation</title>
+ <orderedlist>
+ <listitem>
+ <para>
+ Download the unlimited strength policy JAR files.
+ <table
+ id="table Download the unlimited strength policy JAR files">
+ <title>Download the unlimited strength policy JAR files</title>
+ <tgroup
+ cols="3">
+ <thead>
+ <row>
+ <entry>Vendor</entry>
+ <entry>Link</entry>
+ <entry>Details</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>IBM</entry>
+ <entry>
+ <link
+ xlink:href="http://www.ibm.com/developerworks/java/jdk/security/50/">IBM Security information</link>
+ </entry>
+ <entry>Scroll down to "IBM SDK Policy files." The same files are used for the Version 1.4 and
+ Version 5 SDKs.</entry>
+ </row>
+ <row>
+ <entry>Sun</entry>
+ <entry>
+ <link
+ xlink:href="http://java.sun.com/javase/downloads/index_jdk5.jsp">Java SE Downloads - Previous Release - JDK 5</link>
+ </entry>
+ <entry>Scroll down to "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy
+ Files 5.0" under "Other Downloads"</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Extract the unlimited strength policy JAR files.
+ <table
+ id="table Extract the unlimited strength policy JAR files">
+ <title>Extract the unlimited strength policy JAR files</title>
+ <tgroup
+ cols="2">
+ <thead>
+ <row>
+ <entry>File</entry>
+ <entry>Description</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>local_policy.jar</entry>
+ <entry>Unlimited strength local policy file</entry>
+ </row>
+ <row>
+ <entry>US_export_policy.jar</entry>
+ <entry>Unlimited strength US export policy file</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </para>
+ </listitem>
+ <listitem>
+ <para>Install
+ the unlimited strength policy JAR files by copying them to the standard location.
+ <jre-home> refers
+ to the directory where the J2SE Runtime Environment (JRE) was installed. Adjust
+ pathname separators for
+ your environment.
+ <table
+ id="table Install the unlimited strength policy JAR files">
+ <title>Install the unlimited strength policy JAR files</title>
+ <tgroup
+ cols="2">
+ <thead>
+ <row>
+ <entry>Standard Location</entry>
+ <entry>Platform</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry><jre-home>/lib/security</entry>
+ <entry>Solaris</entry>
+ </row>
+ <row>
+ <entry><jre-home>\lib\security</entry>
+ <entry>Win32</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </para>
+ </listitem>
+ <listitem>
+ <para>Optionally, create subfolders in <jre-home>/lib/security, named, for example, "limited" and
+ "unlimited" so you can switch between policy files easily, by copying the policy JAR files from one of
+ the
+ subfolders to the <jre-home>/lib/security directory.</para>
+ </listitem>
+ </orderedlist>
+ </section>
+ </section>
+ <section
+ id="Kerberos in ApacheDS 1.5.5">
+ <title>Kerberos in ApacheDS 1.5.5</title>
+ <tip>
+ <title>ApacheDS 1.5.5</title>
+ <para>This site was updated for ApacheDS 1.5.5.</para>
+ </tip>
+ <section
+ id="Overview Kerberos in ApacheDS 1.5.5">
+ <title>Overview</title>
+ <para>This page shows how to activate and setup the KDC server of ApacheDS 1.5.5 (build from trunk
+ 2009-08-04).
+ This is a very simple setup (host: localhost, realm: EXAMPLE.COM). Need to check the setup for
+ other hosts and
+ realms...</para>
+ </section>
+ <section
+ id="Activate Kerberos Kerberos in ApacheDS 1.5.5">
+ <title>Activate Kerberos</title>
+ <para>Acivate the keyDerivationInterceptor and the kdcServer. Also set saslHost and saslPrincipal to
+ localhost.
+ Add entries for users not before you have activated those elements, otherwise the krb5Key won't
+ be created!
+ </para>
+ <para>
+ server.xml
+ <programlisting><![CDATA[
+<spring:beans ...>
+ <defaultDirectoryService ...>
+ ...
+ <interceptors>
+ ...
+ <keyDerivationInterceptor/>
+ ...
+ </interceptors>
+ </defaultDirectoryService>
+ ...
+
+ <!--
+ +============================================================+
+ | Kerberos server configuration |
+ +============================================================+
+ -->
+ <kdcServer id="kdcServer" searchBaseDn="ou=Users,dc=example,dc=com">
+ <transports>
+ <tcpTransport port="60088" nbThreads="4" backLog="50"/>
+ <udpTransport port="60088" nbThreads="4" backLog="50"/>
+ </transports>
+ <directoryService>#directoryService</directoryService>
+ </kdcServer>
+
+ ...
+
+ <ldapServer ...
+ saslHost="localhost"
+ saslPrincipal="ldap/localhost@EXAMPLE.COM"
+ searchBaseDn="ou=users,dc=example,dc=com"
+ ...>
+ ...
+
+</spring:beans>
+ ]]></programlisting>
+ </para>
+ <para>
+ Here is a complete server.xml:
+ <link
+ xlink:href="data/server.xml">server.xml</link>
+ </para>
+ </section>
+ <section
+ id="Optional: Logging">
+ <title>Optional: Logging</title>
+ <para>
+ Configure debug level logging in log4j.properties:
+ <programlisting><![CDATA[
+log4j.logger.org.apache.directory.server.kerberos=DEBUG
+ ]]></programlisting>
+ </para>
+ </section>
+ <section
+ id="Restart the Server Kerberos in ApacheDS 1.5.5">
+ <title>Restart the Server</title>
+ <para>
+ Restart the server, you should see the following output:
+ <programlisting><![CDATA[
+Starting the Kerberos server
+ _ _ _ __ ____ ___
+ / \ _ __ ___ ___| |__ ___| |/ /| _ \ / __|
+ / _ \ | '_ \ / _` |/ __| '_ \ / _ \ ' / | | | / /
+ / ___ \| |_) | (_| | (__| | | | __/ . \ | |_| \ \__
+ /_/ \_\ .__/ \__,_|\___|_| |_|\___|_|\_\|____/ \___|
+ |_|
+
+[19:28:03] INFO [org.apache.directory.server.kerberos.kdc.KdcServer] - Kerberos service started.
+Kerberos service started.
+Kerberos server started
+ ]]></programlisting>
+ </para>
+ </section>
+ <section
+ id="Load User Data Kerberos in ApacheDS 1.5.5">
+ <title>Load User Data</title>
+ <para>
+ Load the following data into the server, e.g. using Apache Directory Studio:
+ <link
+ xlink:href="data/kdc-data.ldif">kdc-data.ldif</link>
+ </para>
+ <para>Note: The activated keyDerivationInterceptor automatically creates the krb5Key attributes:</para>
+ <figure
+ id="The activated keyDerivationInterceptor automatically creates the krb5Key attributes figure">
+ <title>The activated keyDerivationInterceptor automatically creates the krb5Key attributes</title>
+ <mediaobject>
+ <imageobject>
+ <imagedata
+ fileref="images/kdc1.png" />
+ </imageobject>
+ </mediaobject>
+ </figure>
+ </section>
+ <section
+ id="Authenticate using kinit (Unix/Linux)">
+ <title>Authenticate using kinit (Unix/Linux)</title>
+ <para>Make sure kinit is installed.</para>
+ <para>A minimal /etc/krb5.conf file looks as follows (make sure the port matches!):</para>
+ <programlisting><![CDATA[
+[libdefaults]
+ default_realm = EXAMPLE.COM
+
+[realms]
+ EXAMPLE.COM = {
+ kdc = localhost:60088
+ }
+
+[domain_realm]
+ .example.com = EXAMPLE.COM
+ example.com = EXAMPLE.COM
+
+[login]
+ krb4_convert = true
+ krb4_get_tickets = false
+ ]]></programlisting>
+ <para>Then try to authenticate, password is 'secret':</para>
+ <screen><![CDATA[
+stefan@r61:~$ kinit hnelson@EXAMPLE.COM
+Password for hnelson@EXAMPLE.COM:
+
+stefan@r61:~$ klist
+Ticket cache: FILE:/tmp/krb5cc_1000
+Default principal: hnelson@EXAMPLE.COM
+
+Valid starting Expires Service principal
+08/04/09 19:54:22 08/05/09 19:54:21 krbtgt/EXAMPLE.COM@EXAMPLE.COM
+
+
+Kerberos 4 ticket cache: /tmp/tkt1000
+klist: You have no tickets cached
+ ]]></screen>
+ </section>
+ <section
+ id="Authenticate using Apache Directory Studio">
+ <title>Authenticate using Apache Directory Studio</title>
+ <para>You can also configure Apache Directory Studio to use Kerberos (GSSAPI) for authentication. If you use
+ the
+ following authentication parameters you don't need to configure any Kerberos settings in your native
+ operating
+ system.</para>
+ <figure
+ id="Authenticate using Apache Directory Studio figure">
+ <title>Authenticate using Apache Directory Studio</title>
+ <mediaobject>
+ <imageobject>
+ <imagedata
+ fileref="images/kdc2.png" />
+ </imageobject>
+ </mediaobject>
+ </figure>
+ </section>
+ </section>
+ </section>
+ <section
+ id="Change Password Protocol Provider">
+ <title>Change Password Protocol Provider</title>
+ <section
+ id="Introduction Change Password Protocol Provider">
+ <title>Introduction</title>
+ <para>
+ The Change Password service is a protocol provider that implements
+ <link
+ xlink:href="http://www.faqs.org/rfcs/rfc3244.html">RFC 3244</link>
+ to service Kerberos Change Password and Set Password Protocol requests. Change Password is a request-reply
+ protocol that uses Kerberos infrastructure to allow users to securely set initial passwords or to change
+ existing passwords. The Change Password protocol interoperates with the original Kerberos Change Password
+ protocol, while adding the ability for an administrator to set a password for a new user.
+ </para>
+ <para>The Change Password service is implemented as a protocol-provider plugin for the Apache Directory server. As
+ a plugin, Change Password leverages Apache MINA for front-end services and the Apache Directory read-optimized
+ backing store via JNDI for persistent directory services.</para>
+ <para>Change Password, in conjunction with MINA and the Apache Directory, provides an easy-to-use yet
+ fully-featured password service. As implemented within the Apache Directory, Change Password will provide:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>Original Kerberos password changing service</para>
+ </listitem>
+ <listitem>
+ <para>Initial password setting service (RFC 3244)</para>
+ </listitem>
+ <listitem>
+ <para>Optional LDAP management</para>
+ </listitem>
+ <listitem>
+ <para>UDP and TCP Support (MINA)</para>
+ </listitem>
+ <listitem>
+ <para>Easy POJO embeddability for containers such as Geronimo, JBoss, and OSGi</para>
+ </listitem>
+ </itemizedlist>
+ </section>
+ <section
+ id="Changing Passwords with Windows 2003">
+ <title>Changing Passwords with Windows 2003</title>
+ <section
+ id="Configure the Windows 2003 workstation to use an Apache Change Password server">
+ <title>Configure the Windows 2003 workstation to use an Apache Change Password server</title>
+ <screen><![CDATA[
+C:> Ksetup /addkpasswd REALM.EXAMPLE.COM kdc.realm.example.com
+ ]]></screen>
+ </section>
+ <section
+ id="Change a password using Windows Security">
+ <title>Change a password using Windows Security</title>
+ <orderedlist>
+ <listitem>
+ <para>
+ After logging on, press CTRL+ALT+DEL.
+ <figure
+ id="Windows Security figure">
+ <title>Windows Security</title>
+ <mediaobject>
+ <imageobject>
+ <imagedata
+ fileref="images/security.jpg" />
+ </imageobject>
+ </mediaobject>
+ </figure>
+ </para>
+ </listitem>
+ <listitem>
+ <para>Click on the button labeled "Change Password ..."</para>
+ </listitem>
+ <listitem>
+ <para>
+ Enter the Old Password and New Password (twice) and click OK.
+ <figure
+ id="Windows Change Password figure">
+ <title>Windows Change Password</title>
+ <mediaobject>
+ <imageobject>
+ <imagedata
+ fileref="images/changepw.jpg" />
+ </imageobject>
+ </mediaobject>
+ </figure>
+ </para>
+ </listitem>
+ </orderedlist>
+ </section>
+ <section
[... 856 lines stripped ...]