directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enrique Rodriguez" <enriqu...@gmail.com>
Subject Re: Using local kerberos server with ApacheDS 1.5.1
Date Wed, 24 Oct 2007 19:38:53 GMT
On 10/20/07, carlopmart <carlopmart@gmail.com> wrote:
> ...
> Hi Enrique,
>
>   I will try to explain my architecture. I have a RHEL5 Server with MIT kerberos
> shipped with redhat and ApacheDS 1.5.1 on the same server.
> ...

This is not option #2.  We do not have doco for setting this up,
though it is certainly possible.

>   I have exported kerberos key using ktadd command on the server to
> /etc/krb5.keytab file. Following howto, I have configured all except from point
> 12 to end.
>
>   When I try to do a ldapsearch, ApacheDS returns me an error that I don't have
> authenticate and GSSAPI protocol it isn't allowed. This is my real problem: I
> can't combine users information using ApacheDS and kerberos to autehnticate
> users like under OpenLDAP+Kerberos can I do it....
>
>   Is it possible to do this with ApacheDS??.

This is possible, but not easy to do with ApacheDS.  With OpenLDAP you
export the LDAP server's service key to a keytab that the OpenLDAP
server can read.  With ApacheDS, you would need to export the key from
the KDC and then read it into a principal entry in ApacheDS.  There is
code in kerberos-shared for reading from an MIT-formatted keytab file
but then you would need to write a custom JNDI client routine to write
the key material to the ApacheDS DIT.  I've done this before so I know
it works, but I don't believe we have any such example code checked
in.  If I get some time this coming weekend I can quickly write
something up.

Looking forward, I'd like to address this issue by upgrading the
Change Password protocol to use the Change Password version 2 draft
that is currently working its way through the IETF.  Then you could
use our Change Password client component to write keys to the DIT.

> ...
>   And last question: IpAddr param doesn't works, correct?? I have tried to
> assign localhost interface to port 10389 without luck.

You should be able to change the port.  IIRC, the server.xml attribute
is ipPort.

Enrique

Mime
View raw message