Kerberos White Paper

Figure 3: Integrating a Kerberos Principal in to the LDAP Directory

Figure 3 illustrates data related to the user Alex Mathew, who is located in the LDAP directory at

cn=Alex, ou=Sales, o=BAMBI.COM. With both the POSIX account and LDAP information

integrated, you can associate data like Alex’s UNIX identity, his Kerberos identity, and any other

attributes related to Alex within a single LDAP directory entry. In this case, different authentication

mechanisms can share common data like account expiration date, password expire times, and failed

authentication counts.

GSS-API is an interface that provides security services to applications using peer-to-peer

communication.

Using GSS-API routines, applications can perform the following operations:

 Enable an application to authenticate another application's user.

 Enable an application to delegate access rights to another application.

 Apply security services, such as confidentiality and integrity, on a per-message basis

GSS-API supports a secure connection between two communicating applications. The application that

establishes the secure connection is called the context initiator. The application that accepts the secure

connection is called the context acceptor.

GSS-API provides a standard programming interface that is authentication mechanism independent.

GSS-API enables programmers to design applications and its associated protocols that can use

Generic Security Service Application Programming Interface (GSS-

PI)

Directory Root

O=bambi.com

ou=Sales

ou=Accounts

DN:cn = Alex, ou=Sales, o=bambi.com

sn (surname): Mathew

FirstName: Alex

TelephoneNumber: 1907

uid (userID): mathew

userPassword: ******

email: mathew@bambi.com

Shell: /usr/bin/ksh

Home Directory: /home/mathew..

Account Expires: 12th Dec 2004

krbprincipalName:

mathew@bambi.com