Content deleted Content added
No edit summary |
No edit summary |
||
Line 3:
To understand why DCE is useful, one must look at its closest competitor - [[Kerberos (protocol)|Kerberos]]. Like DCE, Kerberos is a distributed computing application. It provides an authentication system for a network of machines - much like Sun's [[Network Information Service]] or [[LDAP]]. Kerberos is an authentication system only - it can identify the entity requesting resources to the server, but it cannot do authorization. That has to be implemented at each individual server. If for example, in a system that uses Kerberos authentication, a user A authenticates himself and requests resource R on machine M1, then M1 has to be set up to authorize A to access R on M1. If R is a shared resource thats available on machine M2 also, then M2 has to explicitly authorize A to access resource R. Kerberos does not provide a way to allow one to share authorization settings across its ___domain. DCE can. It does this by supporting [[Access Control List]]s (ACLs).
The largest unit of management in DCE is a cell. The highest priviledges within a cell are assigned to a role called cell administrator. Typically this priviledge is held by a DCE prinipal called cell_admin. Note that this need not be a real OS-level user. The cell_admin has all priviledges over all DCE resources within the cell
There are three major components of DCE within every cell: (1) the security server (which is responsible for authentication) (2) The Cell Directory Server (CDS) (which is the respository of resources and ACLs) and (3) The Distributed Time Server which provides an accurate clock for proper functioning of the entire cell. Modern DCE implementations such as IBM's are fully capable of interoperating with Kerberos as the security server, LDAP for the CDS and the [[Network Time Protocol]] implementations for the time server.
| |||