Deze pagina is nog niet beschikbaar in uw eigen taal. We werken er hard aan om meer taalversies toe te voegen. Bedankt voor uw steun.

On this page

KrbServer and LdapServer Principles

Updated on 2025-01-22 GMT+08:00

Overview

To manage the access control permissions on data and resources in a cluster, it is recommended that the cluster in security mode be installed. In security mode, a client application must be authenticated and a secure session must be established before the application accesses any resource in the cluster. MRS uses KrbServer to provide Kerberos authentication for all components, implementing a reliable authentication mechanism.

LdapServer supports Lightweight Directory Access Protocol (LDAP) and provides the capability of storing user and user group data for Kerberos authentication.

Architecture

The security authentication function for user login depends on Kerberos and LDAP.

Figure 1 Security authentication architecture

Figure 1 includes three scenarios:

  • Logging in to the MRS Manager Web UI

    The authentication architecture includes steps 1, 2, 3, and 4.

  • Logging in to a component web UI

    The authentication architecture includes steps 5, 6, 7, and 8.

  • Accessing between components

    The authentication architecture includes step 9.

Table 1 Key modules

Connection Name

Description

Manager

Cluster Manager

Manager WS

WebBrowser

Kerberos1

KrbServer (management plane) service deployed in MRS Manager, that is, OMS Kerberos

Kerberos2

KrbServer (service plane) service deployed in the cluster

LDAP1

LdapServer (management plane) service deployed in MRS Manager, that is, OMS LDAP

LDAP2

LdapServer (service plane) service deployed in the cluster

Data operation mode of Kerberos1 in LDAP: The active and standby instances of LDAP1 and the two standby instances of LDAP2 can be accessed in load balancing mode. Data write operations can be performed only in the active LDAP1 instance. Data read operations can be performed in LDAP1 or LDAP2.

Data operation mode of Kerberos2 in LDAP: Data read operations can be performed in LDAP1 and LDAP2. Data write operations can be performed only in the active LDAP1 instance.

Principle

Kerberos authentication

The Kerberos protocol, inspired by the three-headed guard dog of Greek mythology, uses a client-server model with encryption algorithms like Data Encryption Standard (DES) and Advanced Encryption Standard (AES). Both the client and server verify each other's identities through mutual authentication. Kerberos is used to prevent interception and replay attacks and protect data integrity. It is a system that manages keys by using a symmetric key mechanism.

Kerberos authentication consists of the following roles:

  • Client
  • Server
  • Key Distribution Center (KDC): consists of the AS and TGS.
    • Authentication Server (AS): verifies the client account and password and generates a ticket granting ticket (TGT).
    • Ticket Granting Server (TGS): generates service tickets (STs) for accessing services based on TGTs.
Figure 2 Authentication process

LDAP data read and write

LDAP serves as a user data storage center and stores user information in the cluster, including passwords and additional information. Users need to access LDAP to operate user data or perform Kerberos authentication.

Figure 3 Data modification process

LDAP data synchronization

  • OMS LDAP data synchronization before cluster installation
    Figure 4 OMS LDAP data synchronization

    Data synchronization direction before cluster installation: Data is synchronized from the active OMS LDAP to the standby OMS LDAP.

  • LDAP data synchronization after cluster installation
    Figure 5 LDAP data synchronization

    Data synchronization direction after cluster installation: Data is synchronized from the active OMS LDAP to the standby OMS LDAP, standby component LDAP, and standby component LDAP.

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback