directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From carlopmart <carlopm...@gmail.com>
Subject Re: Using local kerberos server with ApacheDS 1.5.1
Date Sun, 21 Oct 2007 06:55:22 GMT
Enrique Rodriguez wrote:
> On 10/19/07, carlopmart <carlopmart@gmail.com> wrote:
>> Enrique Rodriguez wrote:
>>> On 10/17/07, carlopmart <carlopmart@gmail.com> wrote:
>>>> ...
>>>>   Is it possible to use a local kerberos server to authenticate users using
>>>> ApacheDS as a repository id information like openldap does using sasl??
>>> ...
>>> 2)  If you want to use ApacheDS in a combined LDAP+Kerberos mode, you
>>> can combine the Kerberos provider and the LDAP SASL GSSAPI
>>> functionality using doco here:
>>>
>>> http://directory.apache.org/apacheds/1.5/howto-do-sasl-gssapi-authentication-to-apacheds.html
>> ...
>>   Thanks for your answers. I am refering to option 2: using ApacheDS as LDAP
>> server and on the same server where kerberos stays. And ... doesn't works. I
>> have do it all of howto explains but ... why apacheds needs to use port 88 like
>> point 12 explains?? I don't understand it because I already have a kerberos
>> server ...
> 
> With option #2, both the LDAP server and the Kerberos server are
> combined in ApacheDS.  Can you clarify that you are using Kerberos
> from ApacheDS and not MIT Kerberos nor Active Directory?
> 
> I ask because if you are using a Kerberos server external to ApacheDS
> then you need to export key material from that Kerberos server and
> import it into ApacheDS.  With just ApacheDS for both LDAP and
> Kerberos they can share the key material internal to the server, so
> nothing needs to be exported & imported.  Both MIT Kerberos and Active
> Directory have different procedures for exporting key material and I
> can point you to docs if this is what you are doing.
> 
> ApacheDS doesn't need to use port 88 for Kerberos, but if you change
> the port ApacheDS uses for Kerberos then you need to change the port
> your Kerberos client expects the Kerberos server to be running on.
> 
> With Kerberos and LDAP together in ApacheDS, the client-side still
> needs to use Kerberos to authenticate and to get a service ticket for
> the LDAP server.  Once the client has used Kerberos to get a service
> ticket, the client can then use SASL GSSAPI with LDAP to perform LDAP
> operations.
> 
> If you really are doing Option #2 with LDAP and Kerberos together in
> ApacheDS, then please double-check your hostname, name resolution, and
> reverse name resolution.  Probably the #1 issue I see in LDAP SASL
> GSSAPI setups is that the hostname of the machine, the hostname in the
> hosts file or DNS, and the hostname in the LDAP principal do not
> match.  You can see this on the wire using a sniffer.
> 
> What errors are you seeing?
> 
> Enrique
> 
> 
> Enrique
> 

Hi Enrique,

  I will try to explain my architecture. I have a RHEL5 Server with MIT kerberos 
shipped with redhat and ApacheDS 1.5.1 on the same server.

  I have exported kerberos key using ktadd command on the server to 
/etc/krb5.keytab file. Following howto, I have configured all except from point 
12 to end.

  When I try to do a ldapsearch, ApacheDS returns me an error that I don't have 
authenticate and GSSAPI protocol it isn't allowed. This is my real problem: I 
can't combine users information using ApacheDS and kerberos to autehnticate 
users like under OpenLDAP+Kerberos can I do it....

  Is it possible to do this with ApacheDS??.

  And last question: IpAddr param doesn't works, correct?? I have tried to 
assign localhost interface to port 10389 without luck.



-- 
CL Martinez
carlopmart {at} gmail {d0t} com

Mime
View raw message