Work in progress
This site is in the process of being reviewed and updated.
Before
Previously, Kerberos protocol configuration existed in a PropertiesFactoryBean, along with JNDI environment properties.
<bean id="environment" class="org.springframework.beans.factory.config.PropertiesFactoryBean"> <property name="properties"> <props> <prop key="java.naming.security.authentication">simple</prop> <prop key="java.naming.security.principal">uid=admin,ou=system</prop> <prop key="java.naming.security.credentials">secret</prop> <prop key="kdc.entryBaseDn">ou=users,dc=example,dc=com</prop> <prop key="kdc.java.naming.security.credentials">secret</prop> </props> </property> </bean>
After
At the same time as the addition of numerous configuration parameters for SASL to the LDAP protocol, Kerberos configuration has all moved to a KdcConfiguration bean.
<bean id="kdcConfiguration" class="org.apache.directory.server.kerberos.kdc.KdcConfiguration"> <!-- The port to run the Kerberos protocol on. --> <property name="ipPort" value="88" /> </bean>
The KdcConfiguration bean is subordinate to the MutableServerStartupConfiguration.
<bean id="configuration" class="org.apache.directory.server.configuration.MutableServerStartupConfiguration"> ... <property name="kdcConfiguration" ref="kdcConfiguration" /> ... </bean>
Common Service Configuration Parameters
Parameter |
Default value |
Description |
---|---|---|
enabled |
false |
Whether this service is enabled. |
ipPort |
88 |
The IP port for this service. |
ipAddress |
No default. |
The IP address for this service. |
searchBaseDn |
"ou=users,dc=example,dc=com" |
The single location where principals are stored. If this property is not set the store will search the system partition configuration for catalog entries. Catalog support is highly experimental and is only tested in the OSGi build of ApacheDS using the Config Admin service. |
initialContextFactory |
"org.apache.directory.server.core.jndi.CoreContextFactory" |
The JNDI initial context factory to use. |
securityAuthentication |
"simple" |
The authentication mechanism to use for establishing a JNDI context. |
securityPrincipal |
"uid=admin,ou=system" |
The principal to use for establishing a JNDI context. |
securityCredentials |
"secret" |
The credentials to use for establishing a JNDI context. |
serviceName |
Apache Kerberos Service |
The friendly name of this service. |
servicePid |
org.apache.kerberos |
The PID for this service. A PID is a unique identifier for an instance of a service. PID's are used by OSGi's Config Admin service to dynamically inject configuration into a service when the service is started. |
catalogBaseDn |
No default. |
The single location where catalog entries are stored. A catalog entry is a mapping of a realm (or zone for DNS) to a search base DN. If this property is not set the store will expect a single search base DN to be set. Catalog support is highly experimental and is only tested in the OSGi build of ApacheDS using the Config Admin service. |
Kerberos-Specific Configuration Parameters
Parameter |
Default value |
Description |
---|---|---|
encryptionTypes |
des-cbc-md5 |
The encryption types. |
primaryRealm |
EXAMPLE.COM |
The primary realm. |
servicePrincipal |
krbtgt/EXAMPLE.COM@EXAMPLE.COM |
The service principal name. |
allowableClockSkew |
5 minutes |
The allowable clock skew. |
paEncTimestampRequired |
true |
Whether pre-authentication by encrypted timestamp is required. |
maximumTicketLifetime |
1440 (24 hours) |
The maximum ticket lifetime. |
maximumRenewableLifetime |
10080 (1 week) |
The maximum renewable lifetime. |
emptyAddressesAllowed |
true |
Whether ticket issuance for empty Host Addresses is allowed. |
forwardableAllowed |
true |
Whether forwardable tickets are allowed. |
proxiableAllowed |
true |
Whether proxiable tickets are allowed. |
postdateAllowed |
true |
Whether postdated tickets are allowed. |
renewableAllowed |
true |
Whether renewable tickets are allowed. |
More Information
For help with more advanced configurations, check out our Interoperability Guide.