directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Directory Server v1.5 > 5.4.3 Kerberos in ApacheDS 1.5.5
Date Tue, 02 Feb 2010 20:32:00 GMT
<html>
<head>
    <base href="http://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1519/1/1/_/styles/combined.css?spaceKey=DIRxSRVx11&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background-color: white" bgcolor="white">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
     <h2><a href="http://cwiki.apache.org/confluence/display/DIRxSRVx11/5.4.3+Kerberos+in+ApacheDS+1.5.5">5.4.3
Kerberos in ApacheDS 1.5.5</a></h2>
     <h4>Page <b>edited</b> by             <a href="http://cwiki.apache.org/confluence/display/~seelmann">Stefan
Seelmann</a>
    </h4>
     
          <br/>
     <div class="notificationGreySide">
         <div class='panelMacro'><table class='warningMacro'><colgroup><col
width='24'><col></colgroup><tr><td valign='top'><img src="/confluence/images/icons/emoticons/forbidden.gif"
width="16" height="16" align="absmiddle" alt="" border="0"></td><td><b>Warning</b><br
/><p>WARNING: Don't use this in a productive environment!</p></td></tr></table></div>


<h3><a name="5.4.3KerberosinApacheDS1.5.5-Overview"></a>Overview</h3>

<p>This page shows how to activate and setup the KDC server of ApacheDS 1.5.5 (build
from trunk 2009-08-04). This is a very simple setup (host: localhost, realm: EXAMPLE.COM).
Need to check the setup for other hosts and realms...</p>


<h3><a name="5.4.3KerberosinApacheDS1.5.5-ActivateKerberos"></a>Activate
Kerberos</h3>

<p>Acivate the keyDerivationInterceptor and the kdcServer. Also set saslHost and saslPrincipal
to localhost. Add entries for users <b>not</b> before you have activated those
elements, otherwise the krb5Key won't be created!</p>

<p>server.xml</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">&lt;spring:beans ...&gt;
  &lt;defaultDirectoryService ...&gt;
    ...
    &lt;interceptors&gt;
      ...
      &lt;keyDerivationInterceptor/&gt;
      ...
    &lt;/interceptors&gt;
  &lt;/defaultDirectoryService&gt;
   ...

  &lt;!-- 
  +============================================================+
  | Kerberos server configuration                              |
  +============================================================+
  --&gt;
  &lt;kdcServer id=<span class="code-quote">"kdcServer"</span> searchBaseDn=<span
class="code-quote">"ou=Users,dc=example,dc=com"</span>&gt;
    &lt;transports&gt;
      &lt;tcpTransport port=<span class="code-quote">"60088"</span> nbThreads=<span
class="code-quote">"4"</span> backLog=<span class="code-quote">"50"</span>/&gt;
      &lt;udpTransport port=<span class="code-quote">"60088"</span> nbThreads=<span
class="code-quote">"4"</span> backLog=<span class="code-quote">"50"</span>/&gt;
    &lt;/transports&gt;
    &lt;directoryService&gt;#directoryService&lt;/directoryService&gt;
  &lt;/kdcServer&gt;

  ...

  &lt;ldapServer ...
            saslHost=<span class="code-quote">"localhost"</span>
            saslPrincipal=<span class="code-quote">"ldap/localhost@EXAMPLE.COM"</span>
            searchBaseDn=<span class="code-quote">"ou=users,dc=example,dc=com"</span>
            searchBaseDn=<span class="code-quote">"ou=users,dc=example,dc=com"</span>
            ...&gt;
  ...

&lt;/spring:beans&gt;
</pre>
</div></div>

<p>Here is a complete server.xml: <a href="/confluence/download/attachments/114824/server.xml?version=1">server.xml</a></p>

<h3><a name="5.4.3KerberosinApacheDS1.5.5-Optional%3ALogging"></a>Optional:
Logging</h3>

<p>Configure debug level logging in log4j.properties:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">log4j.logger.org.apache.directory.server.kerberos=DEBUG
</pre>
</div></div>

<h3><a name="5.4.3KerberosinApacheDS1.5.5-RestarttheServer"></a>Restart
the Server</h3>

<p>Restart the server, you should see the following output:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">Starting the Kerberos server
           _                     _          _  __ ____   ___    
          / \   _ __    ___  ___| |__   ___| |/ /|  _ \ / __|   
         / _ \ | '_ \ / _` |/ __| '_ \ / _ \ ' / | | | / /      
        / ___ \| |_) | (_| | (__| | | |  __/ . \ | |_| \ \__    
       /_/   \_\ .__/ \__,_|\___|_| |_|\___|_|\_\|____/ \___|   
               |_|                                              

[19:28:03] INFO [org.apache.directory.server.kerberos.kdc.KdcServer] - Kerberos service started.
Kerberos service started.
Kerberos server started
</pre>
</div></div>

<h3><a name="5.4.3KerberosinApacheDS1.5.5-LoadUserData"></a>Load User Data</h3>

<p>Load the following data into the server, e.g. using Apache Directory Studio: <a
href="/confluence/download/attachments/114824/kdc-data.ldif?version=1">kdc-data.ldif</a></p>


<p>Note: The activated keyDerivationInterceptor automatically creates the krb5Key attributes:</p>

<p><img src="/confluence/download/attachments/114824/kdc1.png" align="absmiddle"
border="0" /></p>

<h3><a name="5.4.3KerberosinApacheDS1.5.5-Authenticateusingkinit%28Unix%2FLinux%29"></a>Authenticate
using kinit (Unix/Linux)</h3>

<p>Make sure kinit is installed.</p>

<p>A minimal /etc/krb5.conf file looks as follows (make sure the port matches!):</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">[libdefaults]
        default_realm = EXAMPLE.COM

[realms]
        EXAMPLE.COM = {
                kdc = localhost:60088
        }

[domain_realm]
        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM

[login]
        krb4_convert = <span class="code-keyword">true</span>
        krb4_get_tickets = <span class="code-keyword">false</span>
</pre>
</div></div>



<p>Then try to authenticate, password is 'secret':</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">stefan@r61:~$ kinit hnelson@EXAMPLE.COM
Password <span class="code-keyword">for</span> hnelson@EXAMPLE.COM:

stefan@r61:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: hnelson@EXAMPLE.COM

Valid starting     Expires            Service principal
08/04/09 19:54:22  08/05/09 19:54:21  krbtgt/EXAMPLE.COM@EXAMPLE.COM


Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached

</pre>
</div></div>

     </div>
     <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="http://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>

       <a href="http://cwiki.apache.org/confluence/display/DIRxSRVx11/5.4.3+Kerberos+in+ApacheDS+1.5.5">View
Online</a>
       |
       <a href="http://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=114824&revisedVersion=7&originalVersion=6">View
Change</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message