directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Directory Server v1.5 > 5.4.3 Kerberos in ApacheDS 1.5.5
Date Sun, 07 Mar 2010 10:22:00 GMT
<html>
<head>
    <base href="http://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1519/1/1/_/styles/combined.css?spaceKey=DIRxSRVx11&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background-color: white" bgcolor="white">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
     <h2><a href="http://cwiki.apache.org/confluence/display/DIRxSRVx11/5.4.3+Kerberos+in+ApacheDS+1.5.5">5.4.3
Kerberos in ApacheDS 1.5.5</a></h2>
     <h4>Page <b>edited</b> by             <a href="http://cwiki.apache.org/confluence/display/~seelmann">Stefan
Seelmann</a>
    </h4>
     
          <br/>
     <div class="notificationGreySide">
         <div class='panelMacro'><table class='tipMacro'><colgroup><col
width='24'><col></colgroup><tr><td valign='top'><img src="/confluence/images/icons/emoticons/check.gif"
width="16" height="16" align="absmiddle" alt="" border="0"></td><td><b>ApacheDS
1.5.5</b><br />This site was updated for ApacheDS 1.5.5.</td></tr></table></div>



<h3><a name="5.4.3KerberosinApacheDS1.5.5-Overview"></a>Overview</h3>

<p>This page shows how to activate and setup the KDC server of ApacheDS 1.5.5 (build
from trunk 2009-08-04). This is a very simple setup (host: localhost, realm: EXAMPLE.COM).
Need to check the setup for other hosts and realms...</p>


<h3><a name="5.4.3KerberosinApacheDS1.5.5-ActivateKerberos"></a>Activate
Kerberos</h3>

<p>Acivate the keyDerivationInterceptor and the kdcServer. Also set saslHost and saslPrincipal
to localhost. Add entries for users <b>not</b> before you have activated those
elements, otherwise the krb5Key won't be created!</p>

<p>server.xml</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
&lt;spring:beans ...&gt;
  &lt;defaultDirectoryService ...&gt;
    ...
    &lt;interceptors&gt;
      ...
      &lt;keyDerivationInterceptor/&gt;
      ...
    &lt;/interceptors&gt;
  &lt;/defaultDirectoryService&gt;
   ...

  &lt;!-- 
  +============================================================+
  | Kerberos server configuration                              |
  +============================================================+
  --&gt;
  &lt;kdcServer id=<span class="code-quote">"kdcServer"</span> searchBaseDn=<span
class="code-quote">"ou=Users,dc=example,dc=com"</span>&gt;
    &lt;transports&gt;
      &lt;tcpTransport port=<span class="code-quote">"60088"</span> nbThreads=<span
class="code-quote">"4"</span> backLog=<span class="code-quote">"50"</span>/&gt;
      &lt;udpTransport port=<span class="code-quote">"60088"</span> nbThreads=<span
class="code-quote">"4"</span> backLog=<span class="code-quote">"50"</span>/&gt;
    &lt;/transports&gt;
    &lt;directoryService&gt;#directoryService&lt;/directoryService&gt;
  &lt;/kdcServer&gt;

  ...

  &lt;ldapServer ...
            saslHost=<span class="code-quote">"localhost"</span>
            saslPrincipal=<span class="code-quote">"ldap/localhost@EXAMPLE.COM"</span>
            searchBaseDn=<span class="code-quote">"ou=users,dc=example,dc=com"</span>
            ...&gt;
  ...

&lt;/spring:beans&gt;
</pre>
</div></div>

<p>Here is a complete server.xml: <a href="/confluence/download/attachments/114824/server.xml?version=1">server.xml</a></p>

<h3><a name="5.4.3KerberosinApacheDS1.5.5-Optional%3ALogging"></a>Optional:
Logging</h3>

<p>Configure debug level logging in log4j.properties:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
log4j.logger.org.apache.directory.server.kerberos=DEBUG
</pre>
</div></div>

<h3><a name="5.4.3KerberosinApacheDS1.5.5-RestarttheServer"></a>Restart
the Server</h3>

<p>Restart the server, you should see the following output:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
Starting the Kerberos server
           _                     _          _  __ ____   ___    
          / \   _ __    ___  ___| |__   ___| |/ /|  _ \ / __|   
         / _ \ | '_ \ / _` |/ __| '_ \ / _ \ ' / | | | / /      
        / ___ \| |_) | (_| | (__| | | |  __/ . \ | |_| \ \__    
       /_/   \_\ .__/ \__,_|\___|_| |_|\___|_|\_\|____/ \___|   
               |_|                                              

[19:28:03] INFO [org.apache.directory.server.kerberos.kdc.KdcServer] - Kerberos service started.
Kerberos service started.
Kerberos server started
</pre>
</div></div>

<h3><a name="5.4.3KerberosinApacheDS1.5.5-LoadUserData"></a>Load User Data</h3>

<p>Load the following data into the server, e.g. using Apache Directory Studio: <a
href="/confluence/download/attachments/114824/kdc-data.ldif?version=1">kdc-data.ldif</a></p>


<p>Note: The activated keyDerivationInterceptor automatically creates the krb5Key attributes:</p>

<p><img src="/confluence/download/attachments/114824/kdc1.png" align="absmiddle"
border="0" /></p>

<h3><a name="5.4.3KerberosinApacheDS1.5.5-Authenticateusingkinit%28Unix%2FLinux%29"></a>Authenticate
using kinit (Unix/Linux)</h3>

<p>Make sure kinit is installed.</p>

<p>A minimal /etc/krb5.conf file looks as follows (make sure the port matches!):</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
[libdefaults]
        default_realm = EXAMPLE.COM

[realms]
        EXAMPLE.COM = {
                kdc = localhost:60088
        }

[domain_realm]
        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM

[login]
        krb4_convert = <span class="code-keyword">true</span>
        krb4_get_tickets = <span class="code-keyword">false</span>
</pre>
</div></div>



<p>Then try to authenticate, password is 'secret':</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
stefan@r61:~$ kinit hnelson@EXAMPLE.COM
Password <span class="code-keyword">for</span> hnelson@EXAMPLE.COM:

stefan@r61:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: hnelson@EXAMPLE.COM

Valid starting     Expires            Service principal
08/04/09 19:54:22  08/05/09 19:54:21  krbtgt/EXAMPLE.COM@EXAMPLE.COM


Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached

</pre>
</div></div>



<h3><a name="5.4.3KerberosinApacheDS1.5.5-AuthenticateusingApacheDirectoryStudio"></a>Authenticate
using Apache Directory Studio</h3>

<p>You can also configure Apache Directory Studio to use Kerberos (GSSAPI) for authentication.
If you use the following authentication parameters you don't need to configure any Kerberos
settings in your native operating system. </p>

<p><img src="/confluence/download/attachments/114824/kdc2.png" align="absmiddle"
border="0" /></p>

     </div>
     <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="http://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>

       <a href="http://cwiki.apache.org/confluence/display/DIRxSRVx11/5.4.3+Kerberos+in+ApacheDS+1.5.5">View
Online</a>
       |
       <a href="http://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=114824&revisedVersion=10&originalVersion=9">View
Change</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message