2.0 Kerberos KDC Integration with eDirectory

Novell® Kerberos KDC, provides the ease of single point of management for deployments with both Kerberos and Novell eDirectory™, and gives the advantage of eDirectory replication and security capabilities. It moves Kerberos-specific data to eDirectory and provides Kerberos services by using a KDC that accesses data stored in eDirectory.

In a Kerberos system, the entities in a network are called principals and a logical grouping of principals is called a realm.

In Novell Kerberos KDC, the realms and principals of Kerberos are mapped to eDirectory as shown in the following table:

Table 2-1 Kerberos Mapping With eDirectory

Kerberos Term

Mapping to eDirectory

Realm

Can be mapped to one or more subtrees or containers

For example, if eDirectory has an HR container, you can create an HRREALM realm that references to the HR container. The principals of HRREALM can be located under this container.

Principal

Can be mapped to an existing directory object or created as separate object.

For example, if an eDirectory tree has FTP as a service object and John as an user object, you can add the following principals:

  • A user principal, John.

  • A service principal, FTP.

A Kerberos- specific object class, krbPrincipalAux, is added to the objects.

You can create realms in eDirectory and add principals to these realms. You can associate these realms and principals to eDirectory containers and users or service objects. For information on creating realms, adding principals, and managing them, refer to Section 3.0, Managing the Novell Kerberos KDC.

You need to create the realms under the Kerberos container, which can be located anywhere in the eDirectory tree. This helps you easily administer the Kerberos objects.

Figure 2-1 Kerberos Integration with eDirectory

The following diagram illustrates how the Kerberos data is mapped in eDirectory:

Figure 2-2 eDirectory and Kerberos Mapping

This section provides information on: