ApacheDS 1.5.5
This site was updated for ApacheDS 1.5.5.
Overview
This page shows how to activate and setup the KDC server of ApacheDS 1.5.5 (build from trunk 2009-08-04). This is a very simple setup (host: localhost, realm: EXAMPLE.COM). Need to check the setup for other hosts and realms...
Activate Kerberos
Acivate the keyDerivationInterceptor and the kdcServer. Also set saslHost and saslPrincipal to localhost. Add entries for users not before you have activated those elements, otherwise the krb5Key won't be created!
server.xml
<spring:beans ...> <defaultDirectoryService ...> ... <interceptors> ... <keyDerivationInterceptor/> ... </interceptors> </defaultDirectoryService> ... <!-- +============================================================+ | Kerberos server configuration | +============================================================+ --> <kdcServer id="kdcServer" searchBaseDn="ou=Users,dc=example,dc=com"> <transports> <tcpTransport port="60088" nbThreads="4" backLog="50"/> <udpTransport port="60088" nbThreads="4" backLog="50"/> </transports> <directoryService>#directoryService</directoryService> </kdcServer> ... <ldapServer ... saslHost="localhost" saslPrincipal="ldap/localhost@EXAMPLE.COM" searchBaseDn="ou=users,dc=example,dc=com" ...> ... </spring:beans>
Here is a complete server.xml: server.xml
Optional: Logging
Configure debug level logging in log4j.properties:
log4j.logger.org.apache.directory.server.kerberos=DEBUG
Restart the Server
Restart the server, you should see the following output:
Starting the Kerberos server _ _ _ __ ____ ___ / \ _ __ ___ ___| |__ ___| |/ /| _ \ / __| / _ \ | '_ \ / _` |/ __| '_ \ / _ \ ' / | | | / / / ___ \| |_) | (_| | (__| | | | __/ . \ | |_| \ \__ /_/ \_\ .__/ \__,_|\___|_| |_|\___|_|\_\|____/ \___| |_| [19:28:03] INFO [org.apache.directory.server.kerberos.kdc.KdcServer] - Kerberos service started. Kerberos service started. Kerberos server started
Load User Data
Load the following data into the server, e.g. using Apache Directory Studio: kdc-data.ldif
Note: The activated keyDerivationInterceptor automatically creates the krb5Key attributes:
Authenticate using kinit (Unix/Linux)
Make sure kinit is installed.
A minimal /etc/krb5.conf file looks as follows (make sure the port matches!):
[libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = localhost:60088 } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [login] krb4_convert = true krb4_get_tickets = false
Then try to authenticate, password is 'secret':
stefan@r61:~$ kinit hnelson@EXAMPLE.COM Password for hnelson@EXAMPLE.COM: stefan@r61:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: hnelson@EXAMPLE.COM Valid starting Expires Service principal 08/04/09 19:54:22 08/05/09 19:54:21 krbtgt/EXAMPLE.COM@EXAMPLE.COM Kerberos 4 ticket cache: /tmp/tkt1000 klist: You have no tickets cached
Authenticate using Apache Directory Studio
You can also configure Apache Directory Studio to use Kerberos (GSSAPI) for authentication. If you use the following authentication parameters you don't need to configure any Kerberos settings in your native operating system.