Red Hat Directory Server 8.0 Administrator's Guide

5.1. Realms

A realm is a set of users and the authentication methods for those users to access the realm. A

realm resembles a fully-qualified domain name and can be distributed across either a single

server or a single domain across multiple machines. A single server instance can also support

multiple realms.

Realms are used by the server to associate the DN of the client in the following form, which

looks like an LDAP DN:

uid=user_name/[server_instance],cn=realm,cn=mechanism,cn=auth

NOTE

Kerberos systems treat the Kerberos realm as the default realm; other systems

default to the server.

Mike Connors in the engineering realm of the European division of example.com would have

the following association if he tried to access a different server, such as cyclops:

uid=mconnors/cn=Europe.example.com,

cn=engineering,cn=gssapi,cn=auth

Babara Jensen in the accounting realm of US.example.com would not have to specify a realm:

uid=bjensen,cn=accounting,cn=gssapi,cn=auth

If realms are supported by the mechanism and the default realm was not used, realm must be

specified; otherwise, it is omitted. Currently, only GSS-API supports the concept of realms.

5.2. Configuring the KDC Server

To use GSS-API, the user first obtains a ticket granting ticket (TGT). In many systems, this TGT

is issued when the user first logs into the operating system. There are usually command-line

utilities provided with the operating system — kinit, klist, and kdestroy — that can be used

to acquire, list, and destroy the TGT. The ticket and the ticket's lifetime are parameters in the

Kerberos client and server configuration.

Refer to the operating system documentation for information on installing and configuring a

Kerberos server (also called a key distribution center or KDC). Configuring a KDC for Directory

Server is described in Section 5.3, “Example: Configuring an Example KDC Server”.

Console

427