Manualshelf

Kerberos White Paper

ManualsBrandsHP ManualsSoftwareHP-UX Kerberos Data Security Software
12345678910
Kerberos Server is based on distributed client-server architecture. It ensures secure communication in a
networked environment by leveraging individual trust relationships. It then distributes that trust across
enterprise-wide, distributed client-server networks. It contains a GUI for configuration purposes.
Users can choose to configure the Kerberos Server v3.1 with a native (C-Tree) backend database or
with an LDAP backend database.
Introduction to LDAP
Lightweight Directory Access Protocol (LDAP) is an Internet protocol that email programs use to look
up contact information on a server. LDAP was designed at the University of Michigan to adapt a
complex enterprise directory system (called X.500) to the modern Internet. X.500 is too complex to
support on desktops and over the Internet, so LDAP was created to provide the same service. LDAP
has broader applications such as looking up services and devices on the Internet (and intranets).
LDAP-enabled directories are becoming the defacto corporate standard to reduce user management
cost. LDAP gained a lot of popularity with the explosive growth of the Internet and World Wide
Web. LDAP-based directory servers are used to store the enterprise user and service information as
well as the customer relationship information for e-commerce applications.
Kerberos Server on HP-UX with Native Back End
If you choose to use Kerberos Server with a native C-Tree back end, Kerberos Server maintains
complete information for all the principals with their keys in a database on the machine on which the
Kerberos server is configured. The native C-Tree database is used as the default backend database on
the Kerberos Server v3.1.
Kerberos Server on HP-UX with LDAP Back End
Kerberos Server can also be configured with LDAP as the back end. If you choose to use LDAP, user
information is stored in the LDAP directory in a centralized location. HP-UX users can log in to the
system by accessing the user information from the LDAP directory with the help of LDAP-UX Integration
product.
Benefits of an LDAP Back End
As the number of different networks and applications has grown, the number of specialized
directories of information has also grown, resulting in islands of information that are difficult to
maintain. LDAP, an open industry standard, has evolved to meet these needs by providing access to a
common directory infrastructure. LDAP defines a standard method for accessing and updating
information in a single directory.
By integrating the Kerberos principals with the corresponding users in an LDAP directory, you can
create a single point of user and group management. This simplifies account administration by
allowing user administration to be performed from a single location.
Implementing this solution involves the following steps:
Modify the configuration files on the Kerberos Server
Extend the LDAP directory schema
Integrating the Kerberos Principal into the LDAP Directory
A directory contains entries which are organized in a tree structure called the Directory Information
Tree (DIT). Entries are arranged within the DIT based on their Distinguished Names (DN). DN is a
unique name that unambiguously identifies a single entry. DNs are made up of a sequence of relative
distinguished names (RDNs). Each RDN in a DN corresponds to a branch in the DIT leading from the
root of the DIT to the directory entry. A DN is composed of a sequence of RDNs separated by
commas, such as cn=alex, ou=Sales, o=bambi.com.
Figure 3 shows how a Kerberos principal is integrated in to the LDAP directory.