The Lightweight Directory Access Protocol (LDAP) is a lightweight protocol
for accessing directory services. LDAP defines a message protocol
used by directory clients and directory servers. It is a fast-growing
technology for accessing common directory information. LDAP has
been embraced and implemented in most network-oriented middleware.
LDAP has gained wide acceptance as the directory access method of
the Internet and is therefore becoming strategic within corporate
intranets.
As the number of different networks and applications has grown,
the number of specialized directories of information has also grown, resulting
in islands of information that are difficult to maintain. LDAP, an
open industry standard, has evolved to meet these needs of providing access
to a common directory infrastructure. LDAP defines a standard method
for accessing and updating information in a directory.
LDAP
Advantages |
 |
LDAP has evolved as a lightweight protocol for accessing information
in X.500 directory services. It has since become more independent
of X.500, and servers that specifically support the LDAP protocol
rather than the X.500 Directory Access Protocol. The success of
LDAP has been largely due to the following characteristics that
make it simpler to implement and use, compared to X.500 and DAP:
Omits duplicate,
rarely used, and esoteric features. This makes LDAP easier to understand
and to implement.
Runs over TCP/IP rather than
the OSI protocol stack. TCP/IP is less resource-intensive and is
widely available.
Encodes data for transport
over networks by using a simplified version of the same encoding
rules that is used by X.500.
Uses strings to represent
data rather than complicated structured syntax such as ASN.1 (Abstract
Syntax Notation One).
Integrating
Kerberos Server v3.12 with LDAP |
|
You can configure Kerberos server v3.12 with LDAP as the backend database. By
integrating the Kerberos principals with the corresponding users
in the LDAP directory, you store data for mechanisms, such as UNIX
and Kerberos in a common repository. Also, you can secure user credentials
by mandating users to use LDAP credentials.
Implementing this solution involves the following steps:
Modifying
the configuration files on the Kerberos server
Extending
the LDAP directory schema
This document details the design specifications in terms of
the Kerberos Server requirements and the LDAP directory requirements.
It then covers the actual implementation guidelines and procedures
used to accomplish this solution.
You must use the krb_2_ldap utility
to migrate your existing Kerberos database to LDAP. For more information,
see Chapter 3 “Migrating
to a Newer Version of the Kerberos Server”.
You can configure your Kerberos server with LDAP by either
using the autoconfiguration tool, krbsetup,
or manually editing the LDAP configuration files located in the /opt/krb5/examples directory. For more information see Chapter 6 “Configuring the Kerberos Server
with LDAP”. HP recommends that you use
the krbsetup tool to configure your Kerberos
server with the LDAP.
You can administer and maintain the Kerberos database by either
using the HP Kerberos Administrator, a graphical user interface,
or the command-line administrator. Fore more information, see Chapter 8 “Administering
the Kerberos Server”.
|
| |
|
 | NOTE: Kerberos server v3.12 supports only Netscape Directory
server 6.0 (J4258CA) and later, as the LDAP backend database. You
must have the LDAP-UX product installed on the Kerberos server to
setup a Kerberos server with LDAP as the backend database. |
|
| |
|
How
is the Kerberos Principal Integrated in to the LDAP Directory?
A directory contains a collection of objects organized in
a tree structure. You can arrange entries within the DIT based on
their Distinguished Names (DNs). A DN is composed of a sequence
of RDNs separated by commas, such as cn=alex,ou=R&D,o=bambi.
Figure 1-2 “Integrating
a Kerberos Principal in to the LDAP Directory”, displays how
a Kerberos principal is integrated in to the LDAP directory.
Figure 1-2 “Integrating
a Kerberos Principal in to the LDAP Directory” illustrates data
related to the user Alex Mathew, who is located in the LDAP directory
at cn=Alex, ou=accounts, o=BAMBI.COM. With both the POSIX account
and LDAP information integrated, like Alex’s UNIX identity,
his Kerberos identity, and any other attributes related to Alex
under a single LDAP directory entry.
Printable version
