Filter
Top Products
Chapter 15 Working with Open Directory 261
Kerberos and Apple Single Sign-On
Built into Open Directory is a robust authentication server that uses MIT’s Kerberos Key
Distribution Center (KDC)—providing strong authentication with support for secure
single sign-on. That means users need authenticate only once, with a single user name
and password pair, for access to a broad range of Kerberized network services.
The following tools are available for setting up your Kerberos and Apple single sign-on
environment. For more information about a tool, see the related man page.
Backing Up the Kerberos Database
kdb5_util is a tool for maintaining the Kerberos database. The kdb5_util tool is useful
for dumping the principal database to text to get a reliable backup. Keep in mind that
the data in question is extremely sensitive—creating a copy of it, by definition,
decreases your overall security. These backups should be subject to the same security
precautions as the other KDC files.
Note: Do not back up the KDC while the krb5kdc process is running.
To dump the KDC’s database:
Replace
/path/to/secure/backup
with the path to the location you are backing up the
database to.
$ sudo kdb5_util dump >
/path/to/secure/backup
To load KDC data from a dumped file:
Replace
/path/to/secure/backup
with the path to the location of your backup
database.
$ sudo kdb5_util load
/path/to/secure/backup
kdb5_util can be used to create and delete Kerberos databases and to manage the
location of the stash file used to encrypt the database as well.
Tool (in usr/sbin/) Description
kdcsetup Creates necessary setup files and adds krb5kdc and kadmind
servers for the Apple Open Directory KDC.
sso_util Sets up, interrogates, and tears down the Kerberos configuration
within the Apple single sign-on environment.
kerberosautoconfig Creates the edu.mit.Kerberos file based on the Open Directory
KerberosClient record.