1.1.1 - Realms
A Realm is associated with a Kerberos administrative domain. In other words, it covers everything the Kerberos server manages :
- Users
- Services
Note that a Kerberos Server manages one Realm only, a Realm can be managed by more than one Kerberos server : this is mandatory to avoid a single point of failure, if a Kerberos server halts for any reason.
Realm name
In order to distinguish the Realms, we give them a unique name. This name can be anything, but a convention is to use the DNS name of the Kerberos server, and to use uppercase.
For instance, say that th Kerberos server is installed on a machine whose domain name is apache.org, then we will use APACHE.ORG as the Realm name (but you could use Apache.org or even MyApacheDomain).
The Realm name wil be used all over Kerberos to name Principals and Services
Default Realm for ApacheDS Kerberos Server
When ApacheDS Kerberos Server installed, the default Realm name is set to EXAMPLE.COM. This can be changed either using Studio, by accessing the server configuration and changing the ‘Primary KDC Realm’, as show in this picture :
or by modifying the LDIF configuration directly, by modifying the following entry :
dn: ads-serverId=kerberosServer,ou=servers,ads-directoryServiceId=default,ou=config
...
ads-krbprimaryrealm: EXAMPLE.COM
...