Kerberos Server is based on distributed client-server architecture. It ensures secure communication in a networked environment by leveraging individual trust relationships. It then distributes that trust across enterprise-wide, distributed client-server networks. It contains a GUI for configuration purposes.

Users can choose to configure the Kerberos Server v3.1 with a native (C-Tree) backend database or with an LDAP backend database.

Introduction to LDAP

Lightweight Directory Access Protocol (LDAP) is an Internet protocol that email programs use to look up contact information on a server. LDAP was designed at the University of Michigan to adapt a complex enterprise directory system (called X.500) to the modern Internet. X.500 is too complex to support on desktops and over the Internet, so LDAP was created to provide the same service. LDAP has broader applications such as looking up services and devices on the Internet (and intranets).

LDAP-enabled directories are becoming the defacto corporate standard to reduce user management cost. LDAP gained a lot of popularity with the explosive growth of the Internet and World Wide Web. LDAP-based directory servers are used to store the enterprise user and service information as well as the customer relationship information for e-commerce applications.

Kerberos Server on HP-UX with Native Back End

If you choose to use Kerberos Server with a native C-Tree back end, Kerberos Server maintains complete information for all the principals with their keys in a database on the machine on which the Kerberos server is configured. The native C-Tree database is used as the default backend database on the Kerberos Server v3.1.

Kerberos Server on HP-UX with LDAP Back End

Kerberos Server can also be configured with LDAP as the back end. If you choose to use LDAP, user information is stored in the LDAP directory in a centralized location. HP-UX users can log in to the system by accessing the user information from the LDAP directory with the help of LDAP-UX Integration product.

Benefits of an LDAP Back End

As the number of different networks and applications has grown, the number of specialized directories of information has also grown, resulting in islands of information that are difficult to maintain. LDAP, an open industry standard, has evolved to meet these needs by providing access to a common directory infrastructure. LDAP defines a standard method for accessing and updating information in a single directory.

By integrating the Kerberos principals with the corresponding users in an LDAP directory, you can create a single point of user and group management. This simplifies account administration by allowing user administration to be performed from a single location.

Implementing this solution involves the following steps:

Modify the configuration files on the Kerberos Server

Extend the LDAP directory schema

Integrating the Kerberos Principal into the LDAP Directory

A directory contains entries which are organized in a tree structure called the Directory Information Tree (DIT). Entries are arranged within the DIT based on their Distinguished Names (DN). DN is a unique name that unambiguously identifies a single entry. DNs are made up of a sequence of relative distinguished names (RDNs). Each RDN in a DN corresponds to a branch in the DIT leading from the root of the DIT to the directory entry. A DN is composed of a sequence of RDNs separated by

commas, such as cn=alex, ou=Sales, o=bambi.com.

Figure 3 shows how a Kerberos principal is integrated in to the LDAP directory.