Introduction to Realm Control

User Accounts

A user account is an Apache Directory object that contains information that defines a user with access to a network (name, password). A user account is required for anyone using resources on the network.

User Authentication

User authentication is the process by which a user's identity is validated. The user's identity is used to grant or deny access to network resources. From a client operating system the user typically has entered a username, password, and resource required. Typically, local files (passwd, etc.) are used to authenticate users. With Apache Directory, the realm controller uses the Kerberos protocol to authenticate the user.

Service Accounts

A service account is an Apache Directory object that contains information that defines a network service that users may access. Kerberos is naturally "service oriented." A service account is required so that users may request tickets to access the service. Even the Kerberos Ticket-Granting Service is itself a service that requires a service account (krbtgt).

"Kerberized" Applications

"Kerberized" applications are any application or service that uses the Kerberos protocol to authenticate. When we say "application" we mean the client side of a service. Examples of kerberized services include HTTP, SSHD, and, of course, LDAP. In order to work with Kerberos credentials, most open-source distributes Kerberos command-line tool such as kinit, kdestroy, klist, and kpasswd. Similarly, Java distributes kinit, klist, and ktab.

Kerberos Key Distribution Center (KDC)

A Kerberos Key Distribution Center (KDC) is a server that accepts ticket requests from users, validates the users' requests, and grants tickets to the users for access to a service. Kerberos is specified in IETF RFC 4120. Kerberos is said to have "three heads": the KDC, the user, and the service that access is being requested for.

Password policy

Kerberos authentication is based on passwords. Therefore, it is important to have a defined password policy that can be enforced by the KDC.

Realm Control

Kerberos uses the term "realm" to denote administrative boundaries for managing user and services. A Apache Directory-backed realm consists of Apache Directory as a realm controller as well as hosts and services configured to use Apache Directory's Kerberos and LDAP support. As an IETF standard protocol, there are many ways to configure interoperability.

Single Realm

The most common scenario will be the use of Apache Directory to control a realm of Linux workstations. In this scenario we strive to interoperate with the multitude of excellent open-source that support Kerberos.

Cross-Realm Operation

A more advanced scenario is the use of Kerberos to provide authentication "cross realm." In cross-realm operation, aka "trust relationship," users in one realm are able to gain access to services in another realm. Cross-realm operation is a standard feature of Kerberos. Cross-realm operation can also be used to aid in interoperability with Microsoft Windows.

Client Configuration

Linux desktops typically require some minor configuration in order for Kerberos authentication to work. Once configured, sign-in to the host can use Kerberos authentication, for example on the console, with Gnome, or even using SSH. Clients can use local file configuration or DNS to locate realm controllers using SRV (service location) records. The use of DNS for SRV service helps reduce (and centralize) the amount of configuration that must be done on clients and it increase the flexibility of the network.