Work in progress
This site is in the process of being reviewed and updated.
You need:
1) java on your path, to run 'ldapbrowser' and 'apacheds-osgi'.
2) Disable any conflicting services, ie any running on your computer that are duplicated with apacheds. Namely, NTP, MIT Kerberos, OpenLDAP, BIND DNS, etc. Likely you have at least NTP running. Worst case you'll get a bind error and stacktrace from Java/Felix/ApacheDS.
# service ntpd stop
3) Run 'apacheds'. This should result in the Felix console and our various bundles.
# cd apacheds-osgi/ # ./apacheds.sh
4) Run 'ldapbrowser' from the command-line or you can probably double-click it. It's a Java Swing app.
# cd ldapbrowser/ # ./lbe.sh &
In the ldapbrowser, there are two sessions configured for you. Select 'localhost-system' to get the system partition, where sensitive system config info is, or select 'localhost-example' to get to the "example.com" partition where user data is.
5) To test NTP you can use 'ntpdate':
# ntpdate -u localhost 14 May 10:57:15 ntpdate[DIRxSRVx10:602]: adjust time server 127.0.0.1 offset -0.000259 sec
6) To test DNS you can use 'dig'. You're looking for the IP address of 'www.example.com' to come back as '192.168.0.1'. If you navigate in the 'ldapbrowser' to:
cn=A,dc=www,dc=example,dc=com,dc=example,dc=com
... you can see where to change this IP address.
# dig @localhost www.example.com A ; <<>> DiG 9.3.2 <<>> @localhost www.example.com A ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40709 ;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.example.com. IN A ;; ANSWER SECTION: www.example.com. 86400 IN A 192.168.0.1 ;; Query time: 64 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun May 14 10:57:57 2006 ;; MSG SIZE rcvd: 64
7) You need to place a 'krb5.conf' in '/etc', overwriting the one that may be there.
To run the gnome-kerberos app you likely need krb5 libs installed:
# rpm -qa | grep krb krb5-libs-1.4.3-4.1 pam_krb5-2.2.6-2.2 krb5-workstation-1.4.3-4.1
If not you can use 'kinit' which comes with java.
You can use the gnome-kerberos app or the command line 'kinit' to get a Kerberos ticket for the 'akarasulu@EXAMPLE.COM' user with password 'maxwell'.
# kinit -f akarasulu@EXAMPLE.COM Password for akarasulu@EXAMPLE.COM: maxwell [DIRxSRVx10:root@localhost ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: akarasulu@EXAMPLE.COM Valid starting Expires Service principal 05/14/06 10:54:24 05/15/06 10:54:22 krbtgt/EXAMPLE.COM@EXAMPLE.COM
8) Change Password works but the setup is even more complicated and to make matters worse we have password policy enforcement in place. But, the gnome-kerberos client will do password changes.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = des-cbc-md5
default_tkt_enctypes = des-cbc-md5
preferred_enctypes = des-cbc-md5
permitted_enctypes = des-cbc-md5
[realms]
EXAMPLE.COM = {
kdc = localhost:88
kpasswd_server = localhost:464
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}