directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enrique Rodriguez" <>
Subject Re: ApacheDS + Kerberos
Date Mon, 21 May 2007 20:52:41 GMT
On 5/20/07, Keith Shu <> wrote:
> I've been tinkering with ApacheDS 1.5.1 for the past couple of weeks.
> I've had some success with the LDAP directory but I'm having problems
> configuring ApacheDS to perform Kerberos authentication.

Hi, Keith,

Thanks for being an early adopter of ApacheDS Kerberos.  I take it
that since you are running 1.5.1 you are building from trunk?

> I've not found any guides or tutorials available for kerberos configuration
> on apache DS. I might write one if I get it to work but I'm stuck. So far
> I've enabled kerberos and inserted some principals in the LDAP directory.
> I've tried testing using kinit and krb5LoginModule and I got as far as
> issuing the ticket but I got an exception encoding the ticket on the server
> side. (See below)

We are merging, this week, 2 branches which will address a number of
issues with Kerberos.  It would be great if you're building from trunk
and could test again in a few days.  I'll let you know when we've done
the merges.

Per your error, I suspect you may not have any keys for your user
principals, which can currently only be added using the LDIF loader at
startup or by LDAP if you really know what you're doing.  One of the
branches makes principal key generation a lot easier.  A
NullPointerException is bad in any case, so any details you can
provide about your setup would be appreciated.  In particular I'm
curious about platform, krb5.conf (if any), and whether you are using

> Is there a guide available for Kerberos on ApacheDS? Something step by step
> would be nice. Please help!

Between the 2 branches, configuration has changed and how you create
principal keys is totally new.  Sorry for the delay but we are in the
middle of addressing many issues.  Once the branches are in, we can
revisit doco.  For now, there is forward-looking documentation for the
Kerberos protocol at:

"Before" refers to pre-1.5.1 while "After" is beta doco for 1.5.1.

Also, there is a ton of uploaded notes in a raw form at:

The intent is once these branches are in and how you configure
ApacheDS Kerberos has stabilized, we can update the raw doco.



View raw message