Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using symmetrical key cryptography and and requires a trusted third party (timed ticket).
Both Linux and windows clients and servers can use Kerberos to authenticate logons
Kerberos is not a directory service, its task is to authenticate user identities, not to store information such as user and group IDs
Microsoft Windows Services for UNIX SFU 3.5 – Interoperability Toolkit from Microsoft enables Windows and UNIX clients and servers to share network resources, integrates account management, simplifies cross-platform management and provides a full UNIX scripting and application execution environment that runs natively on Windows
Integrated Authentication for Network Resources
As number of enterprise users increases, account management is becoming more complex.
Imagine how many passwords an user has to remember if he has to access several servers POP3, Webmail, FTP server etc. besides system login.
System Administrator has to notify all users in case passwords and permission of each service have changed.
LDAP Directory Services can help to simplify account and password management.
Directories organise complex information, making it easy to find.
They list resources – people, books in library, goods in department store and give details about each one.
E.g. telephone books, library catalog, department store catalog.
Enterprises with distributed computer systems use online directories for fast searches, cost-effective management of users and security, and a central integration point for multiple applications and services.
LDAP is used by almost all commercial directory systems.
Entries exist in a tree-like structure known as Directory Information Tree (DIT) or just directory tree .
The root of the directory has a name known as the directory’s base DN .
The server’s base DN typically matches the DNS name of the directory server and uses the domain component ( dc ) attribute to represent the DNS zones (however, the match is not compulsory).
Each entry in a directory tree can be located by its Distinguished Name (DN).
A DN is composed of an entry’s RDN followed by all of the RDNs (separated by comma or semicolons) found as you walk your way back up the tree towards the root entry.
If we follow the arrows in Figure 3 and accumulate RDNs as we go, we’ll construct DNs for each highlighted entry.
In the left pane of Figure 3, our DN would be: cn=Robert Smith,l=main campus,ou=CCS,o=Hogwarts School,c=US In the right pane of Figure 3, it is: uid=rsmith,ou=systems,ou=people,dc=ccs,dc=hogwarts,dc=edu
Figure 3. Walking Back up the tree to produce a DN
Object classes define what entries are possible in an LDAP directory.
Each entry has a special attribute called objectClass .
objectClass contains multiple values that when combined with server and user settings, dictate which attributes must and may exist in that particular entry.
Each of the values of an objectClass attribute is a name of an object class. These classes either define the set of attributes that can or must be in an entry, or expand on the definitions inherited from another class.
Provides a convenient way for a user to query for all the entries with a particular objectClass attribute.
E.g. to query just with objectclass=user identifies all user accounts in a Microsoft Active Directory.
The root object class “ top ” is the ancestor of all object classes and contains the required attribute “ objectClass ”.
Since all entries inherit directly or indirectly from the root “ top ”, every object class MUST contain the attribute “ objectClass ”.
In the previous directory, the object with DN: “ o=ldap_abc.de ” implements the object class “ organization ”. The attribute “ objectClass ” of this entry has the two values: “ top ” and “ organization ”.
The definition shows which attribute are required (MUST) and which attributes are optional (MAY)
“ top ” must only contain the attribute “ objectClass ”
“ organization ” inherits all attributes from “ top” and must also contain o (organization)
“ top ” has no optional attribute, “ organization ” has many optional attributes.
Object Class Definition for top and organization
In most cases, we use the pre-defined standard object classes. If you need to construct entries with attributes not found in an existing object class, it is usually good form to locate the closest existing object class and build upon it, like organizationalPerson , builds upon person above.
A collection of object classes that specify attributes for the entries in an LDAP server is called a schema .