content/apacheds/kerberos-ug/1.1-introduction.mdtext - directory-site - Git at Google

 Title: 1.1 - Introduction
 NavPrev: 1-kerberos.html
 NavPrevText: 1 - What is Kerberos ?
 NavUp: 1-kerberos.html
 NavUpText: 1 - What is Kerberos ?
 NavNext: 1.1.1-realms.html
 NavNextText: 1.1.1 - Realms
 Notice: Licensed to the Apache Software Foundation (ASF) under one
     or more contributor license agreements.  See the NOTICE file
     distributed with this work for additional information
     regarding copyright ownership.  The ASF licenses this file
     to you under the Apache License, Version 2.0 (the
     "License"); you may not use this file except in compliance
     with the License.  You may obtain a copy of the License at
     .
     http://www.apache.org/licenses/LICENSE-2.0
     .
     Unless required by applicable law or agreed to in writing,
     software distributed under the License is distributed on an
     "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
     KIND, either express or implied.  See the License for the
     specific language governing permissions and limitations
     under the License.

 ## Table of content

 * [1.1.1 - Realms](1.1.1-realms.html)
 * [1.1.2 - Principal](1.1.2-Principal.html)
 * [1.1.3 - Keys](1.1.3-keys.html)
 * [1.1.4 - KDC (Key Distribution Center)](1.1.4-kdc.html)
 * [1.1.5 - Database](1.1.5-database.html)
 * [1.1.6 - AS (Authentication Server)](1.1.6-as.html)
 * [1.1.7 - TGS (Ticket Granting Server)](1.1.7-tgs.html)
 * [1.1.8 - Tickets](1.1.8-tickets.html)

 # 1.1 - Introduction

 The **Kerberos** server is a part of the **Apache Directory Server** : it uses the **LDAP** server as a backend, but has its own network layer. which makes it easy to install, compared to other solutions where you have two components : a backend(typically an LDAP server) on one side, and the Kerberos Server on the other.

 We also have decent GUI support for editing the configuration in Studio, which allows administrators to tweak their server's functionality in a convenient way.

 The Kerberos server of Apache Directory implements RFC 1510 and RFC 4120, the Kerberos V5 Network Authentication Service. The purpose of Kerberos is to verify the identities of principals (users or services) on an unprotected network. While generally thought of as a single-sign-on technology, Kerberos's true strength is in authenticating users without ever sending their passwords over the network. Kerberos is designed for use in open (untrusted) networks and, therefore, operates under the assumption that packets traveling along the network can be read, modified, and inserted at will. This chart provides a good description of the protocol workflow.

 Kerberos is named after the three-headed dog that guards the gates to Hades. The three heads are the client, the Kerberos server, and the network service being accessed.

 ## What is it all about ?

 The idea is to have a server being able to deliver a user some tickets that can be used by services. Those tickets are trusted for a certain period of time. The most important point is that the service does not have to ask any server to validate those tickets : they are trusted because they have been generated by a trusted server.

 This is a two round process :
 1 - The client requests a Ticket to the Kerberos server
 2 - The client submits the ticket to the requested service

 The the client is authenticated.

 In any case, there is no way to fake an identity or to forge a ticket for accessing a service, nor one can reuse a Ticket that has already been used.

 ## Apache Kerberos Server

 The Apache Directory Kerberos server uses **Apache MINA** in networking layer and the **Apache Directory** as the backend
 for storing principals and associated keys.

 The Kerberos server provides:

 * Authentication service
 * Ticket-granting service
 * Pre-authentication support(PA-ENC-TIMESTAMP)
 * support for des-cbc-md5, des3-cbc-sha1-kd, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 and rc4-hmac encryption systems
 * UDP and TCP transports
	Title: 1.1 - Introduction
	NavPrev: 1-kerberos.html
	NavPrevText: 1 - What is Kerberos ?
	NavUp: 1-kerberos.html
	NavUpText: 1 - What is Kerberos ?
	NavNext: 1.1.1-realms.html
	NavNextText: 1.1.1 - Realms
	Notice: Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at
	.
	http://www.apache.org/licenses/LICENSE-2.0
	.
	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.

	## Table of content

	* [1.1.1 - Realms](1.1.1-realms.html)
	* [1.1.2 - Principal](1.1.2-Principal.html)
	* [1.1.3 - Keys](1.1.3-keys.html)
	* [1.1.4 - KDC (Key Distribution Center)](1.1.4-kdc.html)
	* [1.1.5 - Database](1.1.5-database.html)
	* [1.1.6 - AS (Authentication Server)](1.1.6-as.html)
	* [1.1.7 - TGS (Ticket Granting Server)](1.1.7-tgs.html)
	* [1.1.8 - Tickets](1.1.8-tickets.html)

	# 1.1 - Introduction

	The Kerberos server is a part of the Apache Directory Server : it uses the LDAP server as a backend, but has its own network layer. which makes it easy to install, compared to other solutions where you have two components : a backend(typically an LDAP server) on one side, and the Kerberos Server on the other.

	We also have decent GUI support for editing the configuration in Studio, which allows administrators to tweak their server's functionality in a convenient way.

	The Kerberos server of Apache Directory implements RFC 1510 and RFC 4120, the Kerberos V5 Network Authentication Service. The purpose of Kerberos is to verify the identities of principals (users or services) on an unprotected network. While generally thought of as a single-sign-on technology, Kerberos's true strength is in authenticating users without ever sending their passwords over the network. Kerberos is designed for use in open (untrusted) networks and, therefore, operates under the assumption that packets traveling along the network can be read, modified, and inserted at will. This chart provides a good description of the protocol workflow.

	Kerberos is named after the three-headed dog that guards the gates to Hades. The three heads are the client, the Kerberos server, and the network service being accessed.

	## What is it all about ?

	The idea is to have a server being able to deliver a user some tickets that can be used by services. Those tickets are trusted for a certain period of time. The most important point is that the service does not have to ask any server to validate those tickets : they are trusted because they have been generated by a trusted server.

	This is a two round process :
	1 - The client requests a Ticket to the Kerberos server
	2 - The client submits the ticket to the requested service

	The the client is authenticated.

	In any case, there is no way to fake an identity or to forge a ticket for accessing a service, nor one can reuse a Ticket that has already been used.

	## Apache Kerberos Server

	The Apache Directory Kerberos server uses Apache MINA in networking layer and the Apache Directory as the backend
	for storing principals and associated keys.

	The Kerberos server provides:

	* Authentication service
	* Ticket-granting service
	* Pre-authentication support(PA-ENC-TIMESTAMP)
	* support for des-cbc-md5, des3-cbc-sha1-kd, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 and rc4-hmac encryption systems
	* UDP and TCP transports