directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <akaras...@apache.org>
Subject Re: Kerberos-Authentication
Date Fri, 09 Feb 2007 14:34:54 GMT
wolfgang.schlosser@gi-de.com wrote:
> Hallo,
> 
> I'm very new in ApacheDS and I'm trying to set up a demo-environment for 
> evaluation.

Hi Wolfgang!

> First, the ApacheDS is running and the 'SevenSeas'-ldif example was 
> successfully inserted in the DS.
> Now we'd like to authententicate via JAAS 
> (com.sun.security.auth.module.Krb5LoginModule).

Ok you'll need to make sure that Kerberos is enabled in the server. 
This is accomplished by setting various XML elements in the server.xml 
file.  For example if you're setting up the realm EXAMPLE.COM under 
dc=example,dc=com you'll want these additional properties in your 
properties configuration section of the server.xml:

NOTE: this also configures changepw protocol too.

         <prop key="java.naming.security.authentication">simple</prop>
         <prop 
key="java.naming.security.principal">uid=admin,ou=system</prop>
         <prop key="java.naming.security.credentials">secret</prop>
         <prop key="java.naming.provider.url">dc=example,dc=com</prop>
         <prop key="kdc.primary.realm">EXAMPLE.COM</prop>
         <prop key="kdc.principal">krbtgt/EXAMPLE.COM@EXAMPLE.COM</prop>
         <prop key="kdc.encryption.types">des-cbc-md5 des3-cbc-sha1 
des3-cbc-md5 des-cbc-md4 des-cbc-crc</prop>
         <prop key="kdc.entryBaseDn">ou=users,dc=example,dc=com</prop>
         <prop key="kdc.java.naming.security.credentials">secret</prop>

         <prop key="changepw.entryBaseDn">ou=users,dc=example,dc=com</prop>
         <prop key="changepw.java.naming.security.credentials">secret</prop>
         <prop key="changepw.principal">kadmin/changepw@EXAMPLE.COM</prop>

         <!-- OPTIONAL: All times are in minutes -->
         <prop key="kdc.allowable.clockskew">5</prop>
         <prop key="kdc.tgs.maximum.ticket.lifetime">1440</prop>
         <prop key="kdc.tgs.maximum.renewable.lifetime">10080</prop>
         <prop key="kdc.pa.enc.timestamp.required">true</prop>
         <prop key="kdc.tgs.empty.addresses.allowed">true</prop>
         <prop key="kdc.tgs.forwardable.allowed">true</prop>
         <prop key="kdc.tgs.proxiable.allowed">true</prop>
         <prop key="kdc.tgs.postdate.allowed">true</prop>
         <prop key="kdc.tgs.renewable.allowed">true</prop>
       </props>
     </property>

> We get an exception of missing krb5.ini in the C:/WINNT directory.
> Does anyone know how the krb5.ini have to look like so that we can 
> authenticate with Krb5LoginModule?

The information you're looking for is available here under the section 
for windows:

   http://cwiki.apache.org/DIRxTRIPLESEC/os-kerberos-configuration.html

> Unfortunately on the ApacheDS-Homepage (directory.apache.org) the 
> Kerberos-Configuration is still empty.

Sorry for this inconvenience.  The site is under construction and we 
intend to get that shortly.

> I feel happy about any help.

Hope this helps.  Please come back to us if you have any other needs.

Alex

Mime
  • Unnamed multipart/mixed (inline, None, 0 bytes)
View raw message