Note | ||
---|---|---|
| ||
This site is in the process of being reviewed and updated. |
You need:
1) java on your path, to run 'ldapbrowser' and 'apacheds-osgi'.
2) Disable any conflicting services, ie any running on your computer that are duplicated with apacheds. Namely, NTP, MIT Kerberos, OpenLDAP, BIND DNS, etc. Likely you have at least NTP running. Worst case you'll get a bind error and stacktrace from Java/Felix/ApacheDS.
Code Block |
---|
# service ntpd stop |
3) Run 'apacheds'. This should result in the Felix console and our various bundles.
Code Block |
---|
# cd apacheds-osgi/ # ./apacheds.sh |
4) Run 'ldapbrowser' from the command-line or you can probably double-click it. It's a Java Swing app.
Code Block |
---|
# cd ldapbrowser/ # ./lbe.sh & |
In the ldapbrowser, there are two sessions configured for you. Select 'localhost-system' to get the system partition, where sensitive system config info is, or select 'localhost-example' to get to the "example.com" partition where user data is.
5) To test NTP you can use 'ntpdate':
Code Block |
---|
# ntpdate -u localhost 14 May 10:57:15 ntpdate[DIRxSRVx10:602]: adjust time server 127.0.0.1 offset -0.000259 sec |
6) To test DNS you can use 'dig'. You're looking for the IP address of 'www.example.com' to come back as '192.168.0.1'. If you navigate in the 'ldapbrowser' to:
Code Block |
---|
cn=A,dc=www,dc=example,dc=com,dc=example,dc=com |
... you can see where to change this IP address.
Code Block |
---|
# dig @localhost www.example.com A ; <<>> DiG 9.3.2 <<>> @localhost www.example.com A ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40709 ;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.example.com. IN A ;; ANSWER SECTION: www.example.com. 86400 IN A 192.168.0.1 ;; Query time: 64 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun May 14 10:57:57 2006 ;; MSG SIZE rcvd: 64 |
7) You need to place a 'krb5.conf' in '/etc', overwriting the one that may be there.
To run the gnome-kerberos app you likely need krb5 libs installed:
Code Block |
---|
# rpm -qa | grep krb krb5-libs-1.4.3-4.1 pam_krb5-2.2.6-2.2 krb5-workstation-1.4.3-4.1 |
If not you can use 'kinit' which comes with java.
You can use the gnome-kerberos app or the command line 'kinit' to get a Kerberos ticket for the 'akarasulu@EXAMPLE.COM' user with password 'maxwell'.
Code Block |
---|
# kinit -f akarasulu@EXAMPLE.COM Password for akarasulu@EXAMPLE.COM: maxwell [DIRxSRVx10:root@localhost ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: akarasulu@EXAMPLE.COM Valid starting Expires Service principal 05/14/06 10:54:24 05/15/06 10:54:22 krbtgt/EXAMPLE.COM@EXAMPLE.COM |
8) Change Password works but the setup is even more complicated and to make matters worse we have password policy enforcement in place. But, the gnome-kerberos client will do password changes.
Code Block |
---|
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes default_tgs_enctypes = des-cbc-md5 default_tkt_enctypes = des-cbc-md5 preferred_enctypes = des-cbc-md5 permitted_enctypes = des-cbc-md5 [realms] EXAMPLE.COM = { kdc = localhost:88 kpasswd_server = localhost:464 default_domain = example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } |