Setting up Your LDAP Configuration

What is the host name of your directory server?

Write down your directory server host name in the Configuration Worksheet. This is where your Kerberos principals reside. Enter either the FQDN or the IP address.

For example, fox.bambi.com or 18.13.118.130.

What is the port number of your directory server?

Write down the port number of your directory server in the Configuration Worksheet.

Have you decided to extend the schema?

A schema is the collection of object class and attribute type definitions. A server uses these definitions to determine how to match a filter or attribute against the attributes of a specific entry and whether to grant permissions to any given attributes.

You must have administrative privileges to extend the schema. If you do not have these privileges contact your LDAP administrator. You need to extend the LDAP schema with Kerberos specific object classes and attributes.

Have you decided on the security mechanism?

To access the information stored in the directory, you must authenticate to the directory first. Once authenticated, and depending on the authorization information stored in the directory you can access the information in the directory. Hence, you need to choose an authentication method. Currently, the supported mechanisms are Password, and SSL.

The SSL protocol was devised to provide both authentication and data security. SSL encapsulates the TCP/IP socket so that every TCP/IP application can use it to secure its communication. This enables clients to verify the identity of the server and to encrypt communication of the basic authentication from the clients to the server on insecure networks. To ensure message integrity and privacy, SSL has the following features:

If you choose Password as the security mechanism then the client authenticates to an LDAP server by sending a simple bind request to the server.

	NOTE: In the Password security mechanism, passwords are transmitted in clear text and are vulnerable to snooping.

The primary advantage of using Password is that it is the required authentication method as defined in the LDAP standard, and all directory servers support it.

What is the name of your default base DN for search?

Entries are organized in a tree-like structure called the Directory Information Tree (DIT). Entries are arranged within the DIT based on their DNs. Distinguished Name (DN) is a unique name that unambiguously identifies a single entry. DNs are made up of a sequence of Relative Distinguished Names (RDNs). Each RDN in a DN corresponds to a branch in the DIT leading from the root of the DIT to the directory entry. A DN is composed of a sequence of RDNs separated by commas.

For example, ou=people, o=bambi.com

The default base DN for search is the root of the directory tree on the Directory server, where the Kerberos server searches for kerberos principals.

What is the name of your default principal subtree DN?

Each RDN in a DN corresponds to a branch in the DIT leading from the root of the DIT to the directory entry. The search base node subtree designateS all the containers for the various information types under the base DN.

For example, ou=accounts, ou=people, o=bambi.com

By default, all Kerberos principals are added in the default principal subtree, if no LDAP entry is specified while creating the kerberos principal. The default principal subtree DN must be located under the default base DN for search.

	NOTE: To effectively search for data you must add all subtree entries under the default base DN.

Where are your certificates located?

This path defines the location of the database that contains the certificates for your client. The database must contain the cert7.db certificate, which is used by Mozilla or Netscape client.x. You must specify the path to the directory containing the certificate database.

For example, /.netscape/cert7.db.

What is the name of your proxy user?

Write down the distinguished name of the proxy user, if needed. The Kerberos server binds to the Directory server as the proxy user. This user must have the appropriate privileges to create, modify and delete Kerberos principals.

For example, cn=Anne.

What is the name of your default object class template?

The Kerberos principal must be associated with at least one structural object class on the Directory server. The Kerberos server uses this template for those Kerberos principals who do not have an existing object class to be associated with on the Directory server.

For example, posixaccount.

What are the attributes of your object class?

This line specifies the mandatory attributes of the default object class.The object class attribute determines the attributes the entry must have and can have. When the Kerberos server creates a default object it uses the first attribute specified in this field, as the naming attribute.

For example, uid. cn, homedirectory, gidnumber, uidnumber.