This file describes configuring Java for Kerberos for use by all 
applications systemwide. By default, most JDKs are NOT configured for 
use with Kerberos on a systemwide basis.

IF YOU ARE ONLY USING KERBEROS FOR SAKAI, YOU ARE ENCOURAGED TO FOLLOW
THE INSTRUCTIONS IN INSTALL.txt. IT DESCRIBES AN EASIER (AND
PREFERRED) METHOD FOR CONFIGURING JAVA FOR USE WITH SAKAI AND THIS
PROVIDER.

Before following these instructions, contact your local administrator 
to see if there is an existing systemwide configuration. If there is, 
your administrator can show you how to select the appropriate 
LoginContext for use with Sakai.

By default, the provider provides authentication ONLY for existing 
accounts in the local Sakai user database (where Sakai user ids and 
Kerberos principals are the same). If you wish to allow anyone with a 
valid Kerberos principal to use Sakai, follow the instructions below 
under ADVANCED OPTIONS in the accompanying INSTALL.txt.

This provider implements a configurable, in-memory caching mechanism. 
By default, a user's successful authentication is valid for 5 minutes. 
This mechanism prevents WebDAV, which sends authenticates on every 
connection, from overloading local KDCs.

In addition, to protect the integrity of your Kerberos password, the 
use of a secure Web front-end is HIGHLY recommended.

**CONFIGURING A SYSTEMWIDE CONFIGURATION**

1) Configure Java for Kerberos using JAAS:

- Find the file java.security in the your Java installation, usually 
in $JAVA_HOME/lib/security or $JAVA_HOME/jre/lib/security.

- Add this block (or edit an existing block):

# Default login configuration file
#
#login.config.url.1=file:${user.home}/.java.login.config
login.config.url.1=file:${java.home}/lib/security/jaas.conf

The name of the login configuration file can be anything.

- In the same directory as java.security, create a file called 
jaas.conf with the following content:

/*
 * Login Configuration for the JAAS Applications 
 */

KerberosAuthentication {
   com.sun.security.auth.module.Krb5LoginModule required;
};

The UserDirectoryProvider uses the KerberosAuthentication context by 
default; it can be configured by changing the loginContext parameter 
in the components.xml file described in Step 3. Each context name is 
unique and may not be duplicated.

2) Test your JAAS installation. A test program (JaasTest.java) is 
available to confirm Kerberos authentication. To run it:

$ javac JaasTest.java
$ java JaasTest KerberosAuthentication

LoginContext for testing: KerberosAuthentication
Enter a username and password to test this LoginContext.

Kerberos username [user1]: user1
Kerberos password for user1: foo
Authentication succeeded.

If authentication fails, contact your local administrator for help.

3) Uncommment the configuration information in

    ../../component/project.xml

Then, change the domain parameter from "mydomain.edu" to your domain 
and, if necessary, the value of the cachettl parameter in

    ../../component/src/webapp/WEB-INF/components.xml

After deployment, you can also edit this file:

$TOMCAT_HOME/components/sakai-legacy-providers/WEB-INF/components.xml 

4) After deployment and startup, create a new Sakai account with your 
Kerberos principal as the user id. You should then be able to login 
using your Kerberos password.

