Realms; Configuring The Kdc Server - Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR Administrator's Manual

Introduction to SASL

Realms

A realm is a set of users and the authentication methods for those users to access
the realm. A realm resembles a fully-qualified domain name and can be
distributed across either a single server or a single domain across multiple
machines. A single server instance can also support multiple realms.
Realms are used by the server to associate the DN of the client in the following
form, which looks like an LDAP URL:
uid=user_name/[server_instance],cn=realm,cn=mechanism,cn=auth
NOTE
Mike Connors in the
example.com
server, such as
uid=mconnors/cn=Europe.example.com,
cn=engineering,cn=gssapi,cn=auth
Babs Jensen in the
specify server_instance:
uid=bjensen,cn=accounting,cn=gssapi,cn=auth
If realms are supported by the mechanism and the default realm was not used,
realm must be specified; otherwise, it is omitted. Currently, only GSS-API
supports the concept of realms.

Configuring the KDC Server

To use GSS-API, the user first obtains a ticket granting ticket (TGT). The ticket and
the ticket's lifetime are parameters in the
/etc/krb5/krb5.conf
NOTE
444 Red Hat Directory Server Administrator's Guide • May 2005
Kerberos systems treat the Kerberos realm as the default realm;
other systems default to the server.
engineering
would have the following association if he tried to access a different
:
cyclops
realm of
accounting
file. See "Example," on page 445.
The HP server and client are separate packages with their own
configuration. The server stores config files in
is classic MIT and uses
both to have a working Kerberos system.
realm of the European division of
US.example.com
server configuration in the
kdc
. You need to configure
/etc/krb5.conf
would not have to
. The client
/opt/krb5