Introduction to SASL444 Red Hat Directory Server Administrator’s Guide • May 2005RealmsA realm is a set of users and the authentication methods for those users to accessthe realm. A realm resembles a fully-qualified domain name and can bedistributed across either a single server or a single domain across multiplemachines. A single server instance can also support multiple realms.Realms are used by the server to associate the DN of the client in the followingform, which looks like an LDAP URL:uid=user_name/[server_instance],cn=realm,cn=mechanism,cn=authMike Connors in the engineering realm of the European division ofexample.com would have the following association if he tried to access a differentserver, such as cyclops:uid=mconnors/cn=Europe.example.com,cn=engineering,cn=gssapi,cn=authBabs Jensen in the accounting realm of US.example.com would not have tospecify server_instance:uid=bjensen,cn=accounting,cn=gssapi,cn=authIf realms are supported by the mechanism and the default realm was not used,realm must be specified; otherwise, it is omitted. Currently, only GSS-APIsupports the concept of realms.Configuring the KDC ServerTo use GSS-API, the user first obtains a ticket granting ticket (TGT). The ticket andthe ticket’s lifetime are parameters in the kdc server configuration in the/etc/krb5/krb5.conf file. See “Example,” on page 445.NOTE Kerberos systems treat the Kerberos realm as the default realm;other systems default to the server.NOTE The HP server and client are separate packages with their ownconfiguration. The server stores config files in /opt/krb5. The clientis classic MIT and uses /etc/krb5.conf. You need to configureboth to have a working Kerberos system.
