Reference8:Configuration/General/Kerberos: Difference between revisions
(New page: On this page the Kerberos server of the device is managed. == General settings == === Password === The password is used to encrypt sensitive information in the LDAP database of the server...) |
(→Hosts) |
||
(12 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
== General settings == | == General settings == | ||
=== Password === | === Password === | ||
The password is used to encrypt sensitive information in the | The password is used to encrypt sensitive information in the database of the server. The password has to be configured before any other settings can be done. In scenarios with LDAP replication the passwords have to be the same on both the master and the slave. | ||
=== Realm === | === Realm === | ||
Line 11: | Line 11: | ||
LDAP replication can be used to setup two redundant Kerberos servers. The replication is configured on the slave device. | LDAP replication can be used to setup two redundant Kerberos servers. The replication is configured on the slave device. | ||
=== Master === | === Master === | ||
The IP address of the master server. | The IP address of the master server. The server must be an innovaphone server, too. | ||
=== Enable === | === Enable === | ||
Turns on/off replication. | Turns on/off replication. | ||
Line 19: | Line 20: | ||
May contain letters, numbers and minus signs. | May contain letters, numbers and minus signs. | ||
=== Password === | === Password === | ||
User passwords are limited to a length of 15 characters. | User passwords are limited to a length of 15 characters. Remove the password to delete a user. | ||
=== Authorization === | === Authorization === | ||
Defines the rights the user has on the devices of the realm. | Defines the rights the user has on the devices of the realm. | ||
Line 29: | Line 30: | ||
Defines trust relationships between the realm of the Kerberos server and remote realms. This means that users from the one realm can be authenticated to services/hosts of the other realm. This is called cross-realm authentication. Realms that trust each other have a shared password. | Defines trust relationships between the realm of the Kerberos server and remote realms. This means that users from the one realm can be authenticated to services/hosts of the other realm. This is called cross-realm authentication. Realms that trust each other have a shared password. | ||
=== Name === | === Name === | ||
May contain letters, numbers and minus signs. | The Name of the Kerberos realm or Windows domain. May contain letters, numbers and minus signs. | ||
=== Password === | === Password === | ||
Passwords are limited to a length of 15 characters. | Passwords are limited to a length of 15 characters. Remove the password to delete a trust relationship. | ||
=== Authorization === | === Authorization === | ||
Defines the mapping of the rights for users of the remote realm in the local realm. | |||
* '''keep''': Works only with innovaphone realms. Users of the remote realm have the same rights in the local realm. | * '''keep''': Works only with innovaphone realms. Users of the remote realm have the same rights in the local realm. | ||
* '''use domain group''': Works only with Windows domains. You can specify | * '''use domain group''': Works only with Windows domains. You can specify a RID of a Windows group of administrators and a group of viewers in the remote domain. | ||
* '''Administrator''': All users of the remote realm have administrator rights in the local realm. | * '''Administrator''': All users of the remote realm have administrator rights in the local realm. | ||
* '''Viewer''': All users of the remote realm have viewer rights in the local realm. | * '''Viewer''': All users of the remote realm have viewer rights in the local realm. | ||
=== Admin Group RIP / Viewer Group RID === | === Admin Group RIP / Viewer Group RID === | ||
These settings are used if ''use domain group'' is selected. You can specify a RID of a Windows group of administrators and a group of viewers in the remote domain. The RID is the last part of the SID of the group. Make sure that the groups do not contain nested groups and that they are configured as ''Global security group'' in the Windows domain. | |||
== Hosts == | |||
This list shows all devices that have joined the realm. Click ''Del'' to delete a device from the list. | |||
== See also == | |||
[[Reference8:Delegated_Authentication]] |
Latest revision as of 12:19, 26 October 2010
On this page the Kerberos server of the device is managed.
General settings
Password
The password is used to encrypt sensitive information in the database of the server. The password has to be configured before any other settings can be done. In scenarios with LDAP replication the passwords have to be the same on both the master and the slave.
Realm
This is the unique name of the realm of the Kerberos server. The name may contain letters, numbers, points (.) and minus signs (-). Typically names of Kerberos realms don't contain lower-case letters.
LDAP Replication
LDAP replication can be used to setup two redundant Kerberos servers. The replication is configured on the slave device.
Master
The IP address of the master server. The server must be an innovaphone server, too.
Enable
Turns on/off replication.
Users
Name
May contain letters, numbers and minus signs.
Password
User passwords are limited to a length of 15 characters. Remove the password to delete a user.
Authorization
Defines the rights the user has on the devices of the realm.
- Administrator: do anything
- Viewer: view settings
- Join Realm: add devices to the realm, no login
Trusted realms / Cross-realm authentication
Defines trust relationships between the realm of the Kerberos server and remote realms. This means that users from the one realm can be authenticated to services/hosts of the other realm. This is called cross-realm authentication. Realms that trust each other have a shared password.
Name
The Name of the Kerberos realm or Windows domain. May contain letters, numbers and minus signs.
Password
Passwords are limited to a length of 15 characters. Remove the password to delete a trust relationship.
Authorization
Defines the mapping of the rights for users of the remote realm in the local realm.
- keep: Works only with innovaphone realms. Users of the remote realm have the same rights in the local realm.
- use domain group: Works only with Windows domains. You can specify a RID of a Windows group of administrators and a group of viewers in the remote domain.
- Administrator: All users of the remote realm have administrator rights in the local realm.
- Viewer: All users of the remote realm have viewer rights in the local realm.
Admin Group RIP / Viewer Group RID
These settings are used if use domain group is selected. You can specify a RID of a Windows group of administrators and a group of viewers in the remote domain. The RID is the last part of the SID of the group. Make sure that the groups do not contain nested groups and that they are configured as Global security group in the Windows domain.
Hosts
This list shows all devices that have joined the realm. Click Del to delete a device from the list.