Author: elecharny
Date: Thu Nov 28 17:54:23 2013
New Revision: 1546411
URL: http://svn.apache.org/r1546411
Log:
Deleted the LDAP Con banner, fixed some formatng
Added:
directory/site/trunk/content/images/browse.graphml
Removed:
directory/site/trunk/content/images/banner-ldapcon-2013.png
Modified:
directory/site/trunk/content/apacheds/kerberos-ug/4.2-authenticate-studio.mdtext
Modified: directory/site/trunk/content/apacheds/kerberos-ug/4.2-authenticate-studio.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/kerberos-ug/4.2-authenticate-studio.mdtext?rev=1546411&r1=1546410&r2=1546411&view=diff
==============================================================================
--- directory/site/trunk/content/apacheds/kerberos-ug/4.2-authenticate-studio.mdtext (original)
+++ directory/site/trunk/content/apacheds/kerberos-ug/4.2-authenticate-studio.mdtext Thu Nov
28 17:54:23 2013
@@ -27,7 +27,7 @@ Notice: Licensed to the Apache Software
We will explain how to use the kerberos server to authentify users on a LDAP server. Let's
first define the way we will store data in the LDAP server
<DIV class="info" markdown="1">
-We will suppose that the **Kerberos** server is installed on a server which _hostName_ is
**example.net** and the _realm_ is **EXAMPLE.COM** in the following paragraphes.
+We will suppose that the <strong>Kerberos</strong> server is installed on a server
which <em>hostName</em> is <strong>example.net</strong> and the <em>realm/em>
is <strong>EXAMPLE.COM</strong> in the following paragraphes.
</DIV>
## Servers configuration
@@ -36,27 +36,19 @@ We first have to configure the **LDAP**
If you have installed the **ApacheDS** package, the simplest way is to start the server,
and to connect on it using Studio, using the _uid=admin,ou=system_ user with _secret_ as a
password (this password will have to be changed later !).
-<DIV align="center">
-</DIV>
and :
-<DIV align="center">
-</DIV>
Once connected, right click on the connection :
-<DIV align="center">
-</DIV>
On the **Overview** tab, check the **Enable Kerberos Server** box :
-<DIV align="center">
-</DIV>
### LDAP Server configuration
@@ -67,14 +59,12 @@ There are a few parameters that are to b
* The _Search Base DN_ should point to the place under which we store users and services
(_dc=security,dc=example,dc=com_)
<DIV class="warning" markdown="1">
-The _SASL principal_ instance part (ie, **example.net**) is in lower case, as the hostname
is not case sensitive. Sadly, the _KrbPrincipalName_ attributeType is case sensitive, so if
the left part is not lowercased, the server won't be able to retrieve the information from
the LDAP server.
+The _SASL principal_ instance part (ie, <strong>example.net</strong>) is in lower
case, as the hostname is not case sensitive. Sadly, the <em>KrbPrincipalName</em>
attributeType is case sensitive, so if the left part is not lowercased, the server won't be
able to retrieve the information from the LDAP server.
</DIV>
Here is a snapshot of this configuration :
-<DIV align="center">
-</DIV>
### Kerberos Server configuration
@@ -86,9 +76,7 @@ Now, you can switch to the Kerberos tab,
Here is a Ssnapshot of this configuration :
-<DIV align="center">
-</DIV>
Once those modifications have been done, you must restart the server.
@@ -120,9 +108,7 @@ Each user and each service will be decla
We will store those entries in a part of the **DIT** where the kerberos server and the ldap
server will be able to find them. Assuming we have created our own partition named **dc=example,dc=com**,
we will define this hierarchy starting from there :
-<DIV align="center">
-</DIV>
This can be injected in the LDAP server using this LDIF :
@@ -172,7 +158,7 @@ For our sample test, here is a person we
This user does not have a password yet.
<DIV class="info" markdown="1">
-The import thing is the _krb5PrincipalName_, which is the one that will be used to bind the
user. It has a user login (**hnelson**) and a realm (**EXAMPLE.COM**).
+The import thing is the <em>krb5PrincipalName</em>, which is the one that will
be used to bind the user. It has a user login (<strong>hnelson</strong>) and a
realm (<strong>EXAMPLE.COM</strong>).
</DIV>
Once the user has been injected, we can see that the server has created some krb5Key attributes
:
@@ -242,8 +228,8 @@ Here is the associated LDIF file :
Three important things :
- the userPassword is 'randomkey'. The key will not be generated based on a know password,
they will use a random key.
-- the _krb5PrincipalName_ has one more information, after the / character : _EXAMPLE.COM_
for
- the **krbtgt** service, and _example.net_ for the **ldap** service. For the **krbtgt**
principal, the instance is always the realm name. For the **ldap** principal, the instance
is the hostname, in lowercase.
+- the <em>krb5PrincipalName</em> has one more information, after the / character
: _EXAMPLE.COM_ for
+ the <strong>krbtgt</strong> service, and _example.net_ for the <strong>ldap</strong>
service. For the <strong>krbtgt</strong> principal, the instance is always the
realm name. For the <strong>ldap</strong> principal, the instance is the hostname,
in lowercase.
- the krb5KeyVersionNumber is 0
</DIV>
@@ -257,9 +243,7 @@ Now that the server is set, and the serv
On the "Connections" tab, right click and select 'New Connection...'
-<DIV align="center">
-</DIV>
You will now have to set the network parameters, as in the following popup. Typically, set
:
@@ -273,9 +257,7 @@ You can check the connection on cliking
Here is the screenshot :
-<DIV align="center">
-</DIV>
Then click on Next to setup the authentication part.
Select the following parameters and values :
@@ -293,9 +275,7 @@ Select the following parameters and valu
Here is the resulting screen :
-<DIV align="center">
-</DIV>
Clinking in the 'Check Authentication' buton should be succesfull.
|