Author: buildbot Date: Sun Feb 10 03:11:39 2013 New Revision: 850090 Log: Staging update by buildbot for directory Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.5-database.html Modified: websites/staging/directory/trunk/content/ (props changed) websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1-introduction.html Propchange: websites/staging/directory/trunk/content/ ------------------------------------------------------------------------------ --- cms:source-revision (original) +++ cms:source-revision Sun Feb 10 03:11:39 2013 @@ -1 +1 @@ -1444345 +1444475 Modified: websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1-introduction.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1-introduction.html (original) +++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1-introduction.html Sun Feb 10 03:11:39 2013 @@ -153,6 +153,14 @@

We also have a complete configuration GUI in Studio, which allows administrators to tweak their server in a convenient way.

The Kerberos provider for Apache Directory implements RFC 1510 and RFC 4120 , the Kerberos V5 Network Authentication Service. The purpose of Kerberos is to verify the identities of principals (users or services) on an unprotected network. While generally thought of as a single-sign-on technology, Kerberos' true strength is in authenticating users without ever sending their password over the network. Kerberos is designed for use on open (untrusted) networks and, therefore, operates under the assumption that packets traveling along the network can be read, modified, and inserted at will. This chart provides a good description of the protocol workflow.

Kerberos is named for the three-headed dog that guards the gates to Hades. The three heads are the client, the Kerberos server, and the network service being accessed.

+

What is it all about ?

+

The isea is to have a server being able to deliver a user some tickets that can be used by services. Those tickets are trusted for a certain period of time. The most important point is that the service does not have to ask any server to validate those tickets : they are trusted because they have been generated by a trusted server.

+

This is a two rounds process : +1 - The client request a Ticket to the Kerberos server +2 - The client submit the ticket to the requested service

+

The the client is authenticated.

+

In any case, there is no way to fake an identity or to forge a ticket that can be used, nor one can reuse a Ticket that has already been used.

+

Apache Kerberos Server

The Apache Directory Kerberos provider is implemented as a protocol-provider plugin. As a plugin, the Kerberos provider leverages Apache MINA for front-end services and the Apache Directory read-optimized backing store for persistent directory services.

The Kerberos server for Apache Directory, in conjunction with MINA and the Apache Directory store, provides an easy-to-use yet fully-featured network authentication service. As implemented within the Apache Directory, the Kerberos provder will provide: