| Title: 1.1.2 - Principals |
| NavPrev: 1.1.1-realms.html |
| NavPrevText: 1.1.1 - Realms |
| NavUp: 1.1-introduction.html |
| NavUpText: 1.1 - Introduction |
| NavNext: 1.1.3-keys.html |
| NavNextText: 1.1.3 - Keys |
| Notice: Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| . |
| http://www.apache.org/licenses/LICENSE-2.0 |
| . |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| |
| # 1.1.2 - Principals |
| |
| The Kerberos **Principal** is any entity to which the server can assign a **Ticket**. Typically, we can think of three kinds of **Principals** : |
| |
| * Users |
| * Services |
| * Hosts |
| |
| Each **Principal** is unique in the Kerberos database. This is the way we identify the entity. |
| |
| A Kerberos **Principal** is a combination of three parts : |
| |
| * the name (the primary) |
| * an optional instance |
| * the realm they are associated with |
| |
| The optional instance is used to provide more than one role to an entity, without having to create N Principals for a single user (an administrator is also a normal user, and it's good to qualify the user by adding his admin qualificiation in one **Principal** to create a new and easy to remember **Principal**) |
| |
| The **Principal** syntax is the following : |
| |
| :::text |
| <primary> ['/' <instance>]* '@' <realm> |
| |
| <DIV class="info" markdown="1"> |
| For hosts, we use "host" as a primary, and the instances are the hostnames. |
| </DIV> |
| |
| Those are examples of valid **Principals** |
| |
| ::test |
| john@APACHE.ORG A user |
| john/admin@APACHE.ORG A user who is an admin |
| host/www.apache.org/apache.org@APACHE.ORG A host with two hostnames |
| ldap/www.apache.org@APACHE.ORG A service (Ldap server) |