directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enrique Rodriguez" <enriqu...@gmail.com>
Subject Re: Using local kerberos server with ApacheDS 1.5.1
Date Sat, 20 Oct 2007 23:56:46 GMT
On 10/19/07, carlopmart <carlopmart@gmail.com> wrote:
> Enrique Rodriguez wrote:
> > On 10/17/07, carlopmart <carlopmart@gmail.com> wrote:
> >> ...
> >>   Is it possible to use a local kerberos server to authenticate users using
> >> ApacheDS as a repository id information like openldap does using sasl??
> > ...
> > 2)  If you want to use ApacheDS in a combined LDAP+Kerberos mode, you
> > can combine the Kerberos provider and the LDAP SASL GSSAPI
> > functionality using doco here:
> >
> > http://directory.apache.org/apacheds/1.5/howto-do-sasl-gssapi-authentication-to-apacheds.html
> ...
>   Thanks for your answers. I am refering to option 2: using ApacheDS as LDAP
> server and on the same server where kerberos stays. And ... doesn't works. I
> have do it all of howto explains but ... why apacheds needs to use port 88 like
> point 12 explains?? I don't understand it because I already have a kerberos
> server ...

With option #2, both the LDAP server and the Kerberos server are
combined in ApacheDS.  Can you clarify that you are using Kerberos
from ApacheDS and not MIT Kerberos nor Active Directory?

I ask because if you are using a Kerberos server external to ApacheDS
then you need to export key material from that Kerberos server and
import it into ApacheDS.  With just ApacheDS for both LDAP and
Kerberos they can share the key material internal to the server, so
nothing needs to be exported & imported.  Both MIT Kerberos and Active
Directory have different procedures for exporting key material and I
can point you to docs if this is what you are doing.

ApacheDS doesn't need to use port 88 for Kerberos, but if you change
the port ApacheDS uses for Kerberos then you need to change the port
your Kerberos client expects the Kerberos server to be running on.

With Kerberos and LDAP together in ApacheDS, the client-side still
needs to use Kerberos to authenticate and to get a service ticket for
the LDAP server.  Once the client has used Kerberos to get a service
ticket, the client can then use SASL GSSAPI with LDAP to perform LDAP
operations.

If you really are doing Option #2 with LDAP and Kerberos together in
ApacheDS, then please double-check your hostname, name resolution, and
reverse name resolution.  Probably the #1 issue I see in LDAP SASL
GSSAPI setups is that the hostname of the machine, the hostname in the
hosts file or DNS, and the hostname in the LDAP principal do not
match.  You can see this on the wire using a sniffer.

What errors are you seeing?

Enrique


Enrique

Mime
View raw message