Summary:

The workshop will cover theory as well as practical issues: Lectures on Kerberos and LDAP will help you familiarize yourself with these two base technologies. You will gain experience with the newly acquired skills through practical exercises on the computer. At the end of the workshop, ever participant will have implemented a single-sign-on system under Linux.

 

Day 1: Kerberos – a cryptographic authentication service

Lecture: The Kerberos authentication service
The lecture concentrates on Kerberos’ design goals, the frame requirements, which underlie the goals, as well as the actual implementation in Kerberos V. Central to the Kerberos concept is a single-sign-on. A user, after signing on to a local workstation with his password, accesses network services without having to enter the password again. The lecture addresses how this goal for a single-sign-on can be implemented, which problems arise and how these were solved using cryptographic methods with Kerberos V.

Practical experience: Construction of an MIT Kerberos realm
Using Debian Linux, the participants will work in pairs to setup a Kerberos authentication service (Key-Distribution-Center, KDC). A Linux workstation authentication will be integrated into the Kerberos realm with PAM. A Windows XP workstation will be integrated in the same way. In addition to an integrated login, an application will be kerberized using the example of the Apache web server. Mozilla 1.8 and IE 6 are available as clients.

 

Day 2: LDAP – a hierarchical directory service

Lecture: Lightweight Directory Access Protocol
In an overview of the history of LDAP, the lecture will first illustrate the relationship to the X500 directory service. Similarities and differences between LDAP and the X500 will be discussed. Afterwards, the strength and weaknesses of such a general directory are illustrated. Central topics are delegation and replication. Finally, the application possibilities and concrete problems of LDAP as a directory service are presented.

Practical experience: Construction of an OpenLDAP directory service
Using Debian Linux, the participants will work in pairs to setup an OpenLDAP server and populate it with graphical and command line tools. Then network access to the server will be secured via TLS. A short digression into managing certificates with openssl will be necessary. Afterwards, the participants will replicate their server to increase the availability of the directory. Finally, access to the LDAP service will be kerberized. The Mozilla address book function will be available to the participants as the application for the constructed LDAP infrastructure. Additionally, the user directory of the Linux workstation can be tied to LDAP.

This workshop portion will round off the first day. Kerberos is purely an authentication service and user data must be called from a directory service such as LDAP or NIS+.