directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From carlopmart <>
Subject Re: Using local kerberos server with ApacheDS 1.5.1
Date Wed, 24 Oct 2007 21:38:47 GMT
Enrique Rodriguez wrote:
> On 10/20/07, carlopmart <> wrote:
>> ...
>> Hi Enrique,
>>   I will try to explain my architecture. I have a RHEL5 Server with MIT kerberos
>> shipped with redhat and ApacheDS 1.5.1 on the same server.
>> ...
> This is not option #2.  We do not have doco for setting this up,
> though it is certainly possible.
>>   I have exported kerberos key using ktadd command on the server to
>> /etc/krb5.keytab file. Following howto, I have configured all except from point
>> 12 to end.
>>   When I try to do a ldapsearch, ApacheDS returns me an error that I don't have
>> authenticate and GSSAPI protocol it isn't allowed. This is my real problem: I
>> can't combine users information using ApacheDS and kerberos to autehnticate
>> users like under OpenLDAP+Kerberos can I do it....
>>   Is it possible to do this with ApacheDS??.
> This is possible, but not easy to do with ApacheDS.  With OpenLDAP you
> export the LDAP server's service key to a keytab that the OpenLDAP
> server can read.  With ApacheDS, you would need to export the key from
> the KDC and then read it into a principal entry in ApacheDS.  There is
> code in kerberos-shared for reading from an MIT-formatted keytab file
> but then you would need to write a custom JNDI client routine to write
> the key material to the ApacheDS DIT.  I've done this before so I know
> it works, but I don't believe we have any such example code checked
> in.  If I get some time this coming weekend I can quickly write
> something up.
> Looking forward, I'd like to address this issue by upgrading the
> Change Password protocol to use the Change Password version 2 draft
> that is currently working its way through the IETF.  Then you could
> use our Change Password client component to write keys to the DIT.
>> ...
>>   And last question: IpAddr param doesn't works, correct?? I have tried to
>> assign localhost interface to port 10389 without luck.
> You should be able to change the port.  IIRC, the server.xml attribute
> is ipPort.
> Enrique

Many thanks Enrique.

CL Martinez
carlopmart {at} gmail {d0t} com

View raw message