1.2 Understanding the Novell Kerberos KDC

Traditional Kerberos implementations store relevant Kerberos information pertaining to a realm in a database. Database propagation between KDCs are handled by vendor-specific protocols. The Kerberos database is managed using vendor-specific administration utilities.

Novell® Kerberos KDC provides the ease of single point of management for deployments with both Kerberos and Novell eDirectory™, and gives the advantage of eDirectory replication and security capabilities. It moves Kerberos-specific data to eDirectory and provides Kerberos services using a KDC that accesses data stored in eDirectory. Additionally, because authentication requests lead to database operations that are mostly read-only in nature, eDirectory is well suited to replace the traditional database component.

Novell Kerberos KDC integrates Kerberos Authentication, Administration, and Password Servers with eDirectory as data store. Administration is possible both using the traditional command line tools and Novell's Web-based framework, iManager.

The Novell Kerberos KDC is derived from the MIT implementation of Kerberos. It is interoperable with the Kerberos implementations from other vendors like Microsoft* Active Directory*.

Figure 1-1 Kerberos Authentication Using Novell Kerberos KDC

This section provides information about the following:

1.2.1 Novell Kerberos KDC Features

Novell Kerberos KDC provides the following features:

  • A standard authentication method to leverage your existing eDirectory deployment.

  • An iManager interface to manage multiple Kerberos realms.

  • Universal Password integration that enables you to use the same password to log in to both eDirectory and KDC.

  • The login restrictions of the users can be enforced for Kerberos authentications.

    NOTE:Kerberos 4 is not supported.

1.2.2 Novell Kerberos KDC Components

This section introduces you to the components of Novell Kerberos KDC.

Key Distribution Center (KDC)

KDC provides authentication and ticket granting services to Kerberos clients. The principal and realm information is stored in eDirectory. Novell Kerberos KDC accesses this information by using secure LDAP connections.

Kerberos Administration Server

The Administration server services administrative requests such as principal management and key tab operations. This server acts like any another kerberized service on the network and requires the corresponding service ticket to perform any operation.

Kerberos Password Server

The Password server provides the necessary functionality to change principals' passwords from standard Kerberos Change Password clients. Users who want to use this service to change their passwords need to authenticate to KDC first and get the service ticket for this Password server. Although the wire-level protocol for this change password is still not a standard, this server complies with the Internet Draft on the Kerberos Change Password Protocol.

kdb5_ldap_util and kadmin

kdb5_ldap_util and kadmin are tools for managing the Kerberos realm and principals in eDirectory. For more information on these utilities refer to Section 3.0, Managing the Novell Kerberos KDC.

Kerberos LDAP Extensions

Kerberos LDAP extensions service the requests for storing and retrieving various Kerberos-specific keys from eDirectory, for example, the master key of a Realm. The keys are stored in eDirectory in a secure form.

Kerberos Password Agent

Kerberos Password Agent keeps the Kerberos password in sync with the Universal Password. Therefore, it needs to be deployed when Universal Password integration is required. It synchronizes the Kerberos password with Universal Password whenever the Universal Password is set in eDirectory.

1.2.3 Changes to the MIT KDC Code Base

  • Tight integration of Kerberos and eDirectory identities, including a single password by means of Universal Password.

  • Separate Password server instead of the Administration server playing that role.

  • New kdb5_ldap_util utility to configure the Novell KDC.

  • Modifications to kdb5_ldap_util to work with eDirectory.

  • Additions to the krb5.conf configuration file to include eDirectory configuration.

  • Kerberos 4 is not supported.