content/apacheds/kerberos-ug/1.1.2-principals.mdtext - directory-site - Git at Google

 Title: 1.1.2 - Principals
 NavPrev: 1.1.1-realms.html
 NavPrevText: 1.1.1 - Realms
 NavUp: 1.1-introduction.html
 NavUpText: 1.1 - Introduction
 NavNext: 1.1.3-keys.html
 NavNextText: 1.1.3 - Keys
 Notice: Licensed to the Apache Software Foundation (ASF) under one
     or more contributor license agreements.  See the NOTICE file
     distributed with this work for additional information
     regarding copyright ownership.  The ASF licenses this file
     to you under the Apache License, Version 2.0 (the
     "License"); you may not use this file except in compliance
     with the License.  You may obtain a copy of the License at
     .
     http://www.apache.org/licenses/LICENSE-2.0
     .
     Unless required by applicable law or agreed to in writing,
     software distributed under the License is distributed on an
     "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
     KIND, either express or implied.  See the License for the
     specific language governing permissions and limitations
     under the License.

 # 1.1.2 - Principals

 The Kerberos **Principal** is any entity to which the server can assign a **Ticket**. Typically, we can think of three kinds of **Principals** :

     * Users
     * Services
     * Hosts

 Each **Principal** is unique in the Kerberos database. This is the way we identify the entity.

 A Kerberos **Principal** is a combination of three parts :

     * the name (the primary)
     * an optional instance
     * the realm they are associated with

 The optional instance is used to provide more than one role to an entity, without having to create N Principals for a single user (an administrator is also a normal user, and it's good to qualify the user by adding his admin qualificiation in one **Principal** to create a new and easy to remember **Principal**)

 The **Principal** syntax is the following :

     :::text
     <primary> ['/' <instance>]* '@' <realm>

 <DIV class="info" markdown="1">
 For hosts, we use "host" as a primary, and the instances are the hostnames.
 </DIV>

 Those are examples of valid **Principals**

     ::test
     john@APACHE.ORG                             A user
     john/admin@APACHE.ORG                       A user who is an admin
     host/www.apache.org/apache.org@APACHE.ORG   A host with two hostnames
     ldap/www.apache.org@APACHE.ORG              A service (Ldap server)
	Title: 1.1.2 - Principals
	NavPrev: 1.1.1-realms.html
	NavPrevText: 1.1.1 - Realms
	NavUp: 1.1-introduction.html
	NavUpText: 1.1 - Introduction
	NavNext: 1.1.3-keys.html
	NavNextText: 1.1.3 - Keys
	Notice: Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at
	.
	http://www.apache.org/licenses/LICENSE-2.0
	.
	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.

	# 1.1.2 - Principals

	The Kerberos Principal is any entity to which the server can assign a Ticket. Typically, we can think of three kinds of Principals :

	* Users
	* Services
	* Hosts

	Each Principal is unique in the Kerberos database. This is the way we identify the entity.

	A Kerberos Principal is a combination of three parts :

	* the name (the primary)
	* an optional instance
	* the realm they are associated with

	The optional instance is used to provide more than one role to an entity, without having to create N Principals for a single user (an administrator is also a normal user, and it's good to qualify the user by adding his admin qualificiation in one Principal to create a new and easy to remember Principal)

	The Principal syntax is the following :

	:::text
	<primary> ['/' <instance>]* '@' <realm>

	<DIV class="info" markdown="1">
	For hosts, we use "host" as a primary, and the instances are the hostnames.
	</DIV>

	Those are examples of valid Principals

	::test
	john@APACHE.ORG A user
	john/admin@APACHE.ORG A user who is an admin
	host/www.apache.org/apache.org@APACHE.ORG A host with two hostnames
	ldap/www.apache.org@APACHE.ORG A service (Ldap server)