| Wiki Markup |
|---|
{scrollbar}
{note:title=Work in progress}
This site is in the process of being reviewed and updated.
{note}
h3. Introduction
The Kerberos provider for Apache Directory implements [RFC 1510|http://www.ietf.org/rfc/rfc1510.txt], the Kerberos V5 Network Authentication Service. The purpose of Kerberos is to verify the identities of principals (users or services) on an unprotected network. While generally thought of as a single-sign-on technology, Kerberos' true strength is in authenticating users without ever sending their password over the network. Kerberos is designed for use on open (untrusted) networks and, therefore, operates under the assumption that packets traveling along the network can be read, modified, and inserted at will. [This chart|http://www.computerworld.com/computerworld/records/images/pdf/kerberos_chart.pdf] provides a good description of the protocol workflow.
Kerberos is named for the three-headed dog that guards the gates to Hades. The three heads are the client, the Kerberos server, and the network service being accessed.
The Apache Directory Kerberos provider is implemented as a protocol-provider plugin. As a plugin, the Kerberos provider leverages Apache Directory's MINA for front-end services and the Apache Directory read-optimized backing store via JNDI for persistent directory services.
The Kerberos provider for Apache Directory, in conjunction with MINA and the Apache Directory store, provides an easy-to-use yet fully-featured network authentication service. As implemented within the Apache Directory, the Kerberos provder will provide:
* Authentication service (RFC 1510)
* Ticket-granting service (RFC 1510)
* Pre-authentication support (RFC 1510)
* DES encryption systems (RFC 1510)
* Triple-DES (DES3) encryption systems
* UDP and TCP Support (MINA)
* Easy POJO embeddability for containers such as Geronimo, JBoss, and OSGi
h3. More Information
For help with Kerberos client configurations, check out our [Interoperability Guide|http://cwiki.apache.org/DIRxINTEROP].
h3. Resources
h4. Kerberos Articles
- {link:Centralized Authentication with Kerberos 5, Part I|http://www.linuxjournal.com/article/7336}
- {link:Centralized Authorization Using a Directory Service, Part II|http://www.linuxjournal.com/article/7334}
h4. Microsoft Interoperability
- {link:HTTP-Based Cross-Platform Authentication via the Negotiate Protocol|http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-2.asp}
- {link:RFC 2478 - The Simple and Protected GSS-API Negotiation Mechanism|http://www.faqs.org/rfcs/rfc2478.html}
h4. Standards
- {link:Encryption and Checksum Specifications for Kerberos 5|http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-crypto-07.txt}
- {link:Key Derivation for Kerberos V5|http://mirrors.isc.org/pub/www.watersprings.org/pub/id/draft-ietf-cat-kerb-key-derivation-00.txt}
- {link:Key Derivation for Authentication, Integrity, and Privacy|http://mirrors.isc.org/pub/www.watersprings.org/pub/id/draft-horowitz-key-derivation-00.txt}
- {link:RFC 1510 - The Kerberos Network Authentication Service (V5)|http://www.faqs.org/rfcs/rfc1510.html}
- {link:RFC 1964 - The Kerberos Version 5 GSS-API Mechanism|http://www.faqs.org/rfcs/rfc1964.html}
- {link:Simplify enterprise Java authentication with single sign-on|http://www-106.ibm.com/developerworks/java/library/j-gss-sso/}
- {link:Lock down J2ME applications with Kerberos, Part 1: Introducing Kerberos data formats|http://www-106.ibm.com/developerworks/wireless/library/wi-kerberos/}
- {link:Lock down J2ME applications with Kerberos, Part 2: Authoring a request for a Kerberos ticket|http://www-106.ibm.com/developerworks/wireless/library/wi-kerberos2.html}
- {link:Lock down J2ME applications with Kerberos, Part 3: Establish secure communication with an e-bank|http://www-106.ibm.com/developerworks/wireless/library/wi-kerberos3/} |
Page History
Overview
Content Tools
Apps