README - Kerberos V4 support for quipu in isode-8.0 - 7/21/93

HOW IT WORKS

	Kerberos V4 credentials are passed to the DSA as EXTERNAL
	credentials in the bind argument.  The total credentials
	include the DN to bind as, the kerberos principal name
	corresponding to the entry named by the DN, and the kerberos
	credentials for the DSA as returned by krb_mk_req().

	The DSA decodes these parameters and performs these steps,
	returning an error if any step fails:

	1) Call krb_rd_req() with the supplied ticket, extracting
	   the kerberos principal name (e.g. tim@umich.edu).

	2) Locate the entry named by the DN.

	3) Make sure the entry has a krbName attribute that matches
	   that supplied in the bind credentials.

	4) Adds one to a checksum and sends it back in the bind
	   response for mutual authentication.

	From the user's (or sys admin's) perspective, there needs
	to be a correspondence made between an entry and a kerberos
	principal.  This is accomplished by adding a krbName attribute
	to the entry.  An entry can have multiple krbNames and vice
	versa.

WHAT YOU NEED TO RUN IT

	You need isode-8.0 and kerberos version 4.  In theory, it
	will work with either straight MIT kerberos or AFS kerberos
	from Transarc.

HOW TO BRING IT UP

	1) Apply the patch in kerberos.patch to the isode-8.0 source
	   tree:

		patch -p < kerberos.patch

	2) Copy the kerberos.c file to the dsap/common/ directory:

		cp kerberos.c dsap/common/

	3) Make the software:

		./make all-quipu

	4) Install the software:

		./make inst-all

	5) Create a kerberos principal identity for your DSA in your
	   local kerberos realm (actually, in any realm in which you
	   want to authenticate other kerberos principals in the same
	   realm).

	6) Put the corresponding super secret kerberos ticket in
	   a file (name of your choice) readable only by the DSA.

	7) Add a line like this to the quiputailor file:

		kerberos_key	<name of your choice>

	8) Restart your DSA.

GETTING HELP

	This software is supplied without express or implied warranty
	or support, but if you have trouble you can send mail to
	x500@umich.edu and we will help you on a best-effort time
	allowed basis.

-- Tim Howes 7/21/93