directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enrique Rodriguez" <>
Subject Re: ApacheDS + Kerberos
Date Tue, 22 May 2007 00:53:06 GMT
On 5/21/07, Enrique Rodriguez <> wrote:
> ...
> We are merging, this week, 2 branches which will address a number of
> issues with Kerberos.  It would be great if you're building from trunk
> and could test again in a few days.  I'll let you know when we've done
> the merges.

Hi, Keith,

We completed merging one of the 2 branches I mentioned.  This branch
doesn't change configuration but it does fix some Kerberos issues and
I recommend trying it out.  The main purpose of this branch was to add
aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, and des3-cbc-sha1-kd
encryption type support.

One or more encryption types can be listed in the encryption types
property, whitespace-delimited, first type on the left is most
preferred.  For example, using pre-1.5.1 configuration:

<prop key="kdc.encryption.types">aes256-cts-hmac-sha1-96</prop>
... or ...
<prop key="kdc.encryption.types">aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 des3-cbc-sha1-kd des-cbc-md5</prop>

AES-256 requires the installation of "unlimited strength" policy,
available from your VM vendor.  The policy is signed by the vendor so
you can't use the same policy files on different vendors' VMs, ie for
Sun download Sun policy, for IBM download IBM policy.


View raw message