go to  ForumEasy.com   
LdapPro
Home » Archive » Message


[Email To Friend][View in Live Context][prev topic « prev post | next post » next topic]
  Example 2
 
Subject: Example 2
Author: eLDAP
In response to: Example 1
Posted on: 02/10/2010 09:34:40 PM

For example, ANL.GOV, PNL.GOV, and NERSC.GOV all wish to use the ES.NET realm as an intermediate realm. ANL has a sub realm of TEST.ANL.GOV, which authenticates with NERSC.GOV but not PNL.GOV.

The [capath] section for ANL.GOV systems would look like this:

[capaths]
   ANL.GOV = { 
       TEST.ANL.GOV = .
       PNL.GOV = ES.NET
       NERSC.GOV = ES.NET
       ES.NET = .
   }

   TEST.ANL.GOV = { 
       ANL.GOV = .
   }

   PNL.GOV = { 
       ANL.GOV = ES.NET
   }

   NERSC.GOV = { 
      ANL.GOV = ES.NET
   }

   ES.NET = { 
      ANL.GOV = .
   }

The [capath] section of the configuration file used on NERSC.GOV systems would look like this:
[capaths]
   NERSC.GOV = {
      ANL.GOV = ES.NET
      TEST.ANL.GOV = ES.NET
      TEST.ANL.GOV = ANL.GOV
      PNL.GOV = ES.NET
      ES.NET = .
   }

   ANL.GOV = { 
      NERSC.GOV = ES.NET
   }

   PNL.GOV = { 
      NERSC.GOV = ES.NET
   }

   ES.NET = { 
      NERSC.GOV = .
   }

   TEST.ANL.GOV = { 
      NERSC.GOV = ANL.GOV
      NERSC.GOV = ES.NET
   }

In the above example, the ordering is not important, except when the same relation is used more than once. The client uses this to determine the path.


 

> On 02/10/2010 09:33:53 PM eLDAP wrote:

For example, to set-up cross realm authentication between ENG.EAST.ACME.COM and SALES.WEST.ACME.COM, krb5.conf should include the following entry:
[capaths]
    ENG.EAST.ACME.COM = {
        SALES.WEST.ACME.COM = .
    }

    SALES.WEST.ACME.COM = {
         ENG.EAST.ACME.COM = .
    }

On Windows 2000, you must set up a trust relationship between the two realms.





References:

 


 
Powered by ForumEasy © 2002-2022, All Rights Reserved. | Privacy Policy | Terms of Use
 
Get your own forum today. It's easy and free.