Understanding Novell Kerberos KDC

Traditional Kerberos implementations store relevant Kerberos information pertaining to a realm in a database. Database propagation between KDCs are handled by vendor-specific protocols. The Kerberos database is managed using vendor-specific administration utilities.

Novell® Kerberos KDC provides the ease of single point of management for deployments with both Kerberos and Novell eDirectoryTM, and gives the advantage of eDirectory replication and security capabilities. It moves Kerberos-specific data to eDirectory and provides Kerberos services using a KDC that accesses data stored in eDirectory. Additionally, because authentication requests lead to database operations that are mostly read-only in nature, eDirectory is well suited to replace the traditional database component.

Novell Kerberos KDC integrates Kerberos Authentication, Administration, and Password Servers with eDirectory as data store. Administration is possible both using the traditional command line tools and Novell's Web-based framework, iManager.

Novell Kerberos KDC is derived from MIT implementation of Kerberos. It is interoperable with the Kerberos implementations from other vendors like Microsoft* (Active Directory).

Figure 1
Kerberos Authentication Using Novell Kerberos KDC

This chapter provides information about the following:


Novell Kerberos KDC Features

Novell Kerberos KDC provides the following features:


Novell Kerberos KDC Components

This section introduces you to the components of Novell Kerberos KDC.


Key Distribution Center (KDC)

KDC provides authentication and ticket granting services to Kerberos clients. The principal and realm information is stored in eDirectory. Novell Kerberos KDC accesses this information using secure LDAP connections.


Kerberos Administration Server

The Administration server services administrative requests such as principal management and key tab operations. This server acts like any another kerberized service on the network and requires the corresponding service ticket to perform any operation.


Kerberos Password Server

The Password server provides the necessary functionality to change principals' passwords from standard Kerberos Change Password clients. Users who want to use this service to change their passwords need to authenticate to KDC first and get the service ticket for this Password server. Though the wire-level protocol for this change password is still not a standard, this server complies with the Internet Draft on the Kerberos Change Password Protocol.


kdb5_util and kadmin

kdb5_util and kadmin are tools for managing the Kerberos Realm and principals in eDirectory. For more information on these utilities refer to Managing Novell Kerberos KDC.


Kerberos LDAP Extensions

Kerberos LDAP extensions service the requests for storing and retrieving various
Kerberos-specific keys from eDirectory, for example, the master key of a Realm. The keys are stored in eDirectory in a secure form.


Kerberos Password Agent

Kerberos Password Agent keeps the Kerberos password in sync with the universal password. Therefore, it needs to be deployed when universal password integration is required. It synchronizes the Kerberos password with universal password whenever the universal password is set in eDirectory.


Changes to the MIT KDC Code Base