| Title: 1.1.1 - Realms |
| NavPrev: 1.1-introduction.html |
| NavPrevText: 1.1 - Introduction |
| NavUp: 1.1-introduction.html |
| NavUpText: 1.1 - Introduction |
| NavNext: 1.1.2-principals.html |
| NavNextText: 1.1.2 - Principals |
| Notice: Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| . |
| http://www.apache.org/licenses/LICENSE-2.0 |
| . |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| |
| # 1.1.1 - Realms |
| |
| A **Realm** is associated with a Kerberos administrative domain. In other words, it covers everything the Kerberos server manages : |
| * Users |
| * Services |
| |
| Note that a Kerberos Server manages **one** Realm only, a Realm can be managed by more than one Kerberos server : this is mandatory to avoid a single point of failure, if a Kerberos server halts for any reason. |
| |
| ## Realm name |
| |
| In order to distinguish the **Realms**, we give them a unique name. This name can be anything, but a convention is to use the DNS name of the Kerberos server, and to use uppercase. |
| |
| For instance, say that th Kerberos server is installed on a machine whose domain name is **apache.org**, then we will use **APACHE.ORG** as the **Realm** name (but you could use **Apache.org** or even **MyApacheDomain**). |
| |
| <DIV class="info" markdown="1"> |
| Note that the name is case sensitive. **apache.org** is a different realm than **APACHE.ORG**. |
| </DIV> |
| |
| The **Realm** name wil be used all over Kerberos to name **Principals** and **Services** |
| |
| ## Default Realm for ApacheDS Kerberos Server |
| |
| When **ApacheDS Kerberos Server** installed, the default **Realm** name is set to **EXAMPLE.COM**. This can be changed either using **Studio**, by accessing the server configuration and changing the 'Primary KDC Realm', as show in this picture : |
| |
| <DIV align="center"> |
| <img alt="Kerberos Realm Configuration" src="images/kerberos-realm-config.png"> |
| </DIV> |
| |
| or by modifying the LDIF configuration directly, by modifying the following entry : |
| |
| :::text |
| dn: ads-serverId=kerberosServer,ou=servers,ads-directoryServiceId=default,ou=config |
| ... |
| ads-krbprimaryrealm: EXAMPLE.COM |
| ... |