Versions Compared

Old Version 11

changes.mady.by.user Stefan Seelmann

Saved on

compared with

New Version Current

changes.mady.by.user Stefan Seelmann

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3
Tip
titleApacheDS 1.5.5

This site was updated for ApacheDS 1.5.5.

Overview

This page shows how to activate and setup the KDC server of ApacheDS 1.5.5 (build from trunk 2009-08-04). This is a very simple setup (host: localhost, realm: EXAMPLE.COM). Need to check the setup for other hosts and realms...

Activate Kerberos

Acivate the keyDerivationInterceptor and the kdcServer. Also set saslHost and saslPrincipal to localhost. Add entries for users not before you have activated those elements, otherwise the krb5Key won't be created!

server.xml

Code Block
<spring:beans ...>
  <defaultDirectoryService ...>
    ...
    <interceptors>
      ...
      <keyDerivationInterceptor/>
      ...
    </interceptors>
  </defaultDirectoryService>
   ...

  <!-- 
  +============================================================+
  | Kerberos server configuration                              |
  +============================================================+
  -->
  <kdcServer id="kdcServer" searchBaseDn="ou=Users,dc=example,dc=com">
    <transports>
      <tcpTransport port="60088" nbThreads="4" backLog="50"/>
      <udpTransport port="60088" nbThreads="4" backLog="50"/>
    </transports>
    <directoryService>#directoryService</directoryService>
  </kdcServer>

  ...

  <ldapServer ...
            saslHost="localhost"
            saslPrincipal="ldap/localhost@EXAMPLE.COM"
            searchBaseDn="ou=users,dc=example,dc=com"
            ...>
  ...

</spring:beans>

Here is a complete server.xml: server.xml

Optional: Logging

Configure debug level logging in log4j.properties:

Code Block
log4j.logger.org.apache.directory.server.kerberos=DEBUG

Restart the Server

Restart the server, you should see the following output:

Code Block
Starting the Kerberos server
           _                     _          _  __ ____   ___    
          / \   _ __    ___  ___| |__   ___| |/ /|  _ \ / __|   
         / _ \ | '_ \ / _` |/ __| '_ \ / _ \ ' / | | | / /      
        / ___ \| |_) | (_| | (__| | | |  __/ . \ | |_| \ \__    
       /_/   \_\ .__/ \__,_|\___|_| |_|\___|_|\_\|____/ \___|   
               |_|                                              

[19:28:03] INFO [org.apache.directory.server.kerberos.kdc.KdcServer] - Kerberos service started.
Kerberos service started.
Kerberos server started

Load User Data

Load the following data into the server, e.g. using Apache Directory Studio: kdc-data.ldif

Note: The activated keyDerivationInterceptor automatically creates the krb5Key attributes:

Authenticate using kinit (Unix/Linux)

Make sure kinit is installed.

A minimal /etc/krb5.conf file looks as follows (make sure the port matches!):

Code Block
[libdefaults]
        default_realm = EXAMPLE.COM

[realms]
        EXAMPLE.COM = {
                kdc = localhost:60088
        }

[domain_realm]
        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM

[login]
        krb4_convert = true
        krb4_get_tickets = false

Then try to authenticate, password is 'secret':

Code Block
stefan@r61:~$ kinit hnelson@EXAMPLE.COM
Password for hnelson@EXAMPLE.COM:

stefan@r61:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: hnelson@EXAMPLE.COM

Valid starting     Expires            Service principal
08/04/09 19:54:22  08/05/09 19:54:21  krbtgt/EXAMPLE.COM@EXAMPLE.COM


Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached

Authenticate using Apache Directory Studio

You can also configure Apache Directory Studio to use Kerberos (GSSAPI) for authentication. If you use the following authentication parameters you don't need to configure any Kerberos settings in your native operating system.