Directory Root

O=bambi.com

ou=Salesou=Accounts

DN:cn = Alex, ou=Sales, o=bambi.com sn (surname): Mathew FirstName: Alex TelephoneNumber: 1907

uid (userID): mathew

userPassword: ******

email: mathew@bambi.com

Shell: /usr/bin/ksh

Home Directory: /home/mathew..

Account Expires: 12th Dec 2004 krbprincipalName: mathew@bambi.com

Figure 3: Integrating a Kerberos Principal in to the LDAP Directory

Figure 3 illustrates data related to the user Alex Mathew, who is located in the LDAP directory at cn=Alex, ou=Sales, o=BAMBI.COM. With both the POSIX account and LDAP information integrated, you can associate data like Alex’s UNIX identity, his Kerberos identity, and any other attributes related to Alex within a single LDAP directory entry. In this case, different authentication mechanisms can share common data like account expiration date, password expire times, and failed authentication counts.

Generic Security Service Application Programming Interface (GSS-API)

GSS-API is an interface that provides security services to applications using peer-to-peer communication.

Using GSS-API routines, applications can perform the following operations:

ƒEnable an application to authenticate another application's user.

ƒEnable an application to delegate access rights to another application.

ƒApply security services, such as confidentiality and integrity, on a per-message basis

GSS-API supports a secure connection between two communicating applications. The application that establishes the secure connection is called the context initiator. The application that accepts the secure connection is called the context acceptor.

GSS-API provides a standard programming interface that is authentication mechanism independent. GSS-API enables programmers to design applications and its associated protocols that can use