ApacheDS 1.5.5

This site was updated for ApacheDS 1.5.5.


This page shows how to activate and setup the KDC server of ApacheDS 1.5.5 (build from trunk 2009-08-04). This is a very simple setup (host: localhost, realm: EXAMPLE.COM). Need to check the setup for other hosts and realms...

Activate Kerberos

Acivate the keyDerivationInterceptor and the kdcServer. Also set saslHost and saslPrincipal to localhost. Add entries for users not before you have activated those elements, otherwise the krb5Key won't be created!


<spring:beans ...>
  <defaultDirectoryService ...>

  | Kerberos server configuration                              |
  <kdcServer id="kdcServer" searchBaseDn="ou=Users,dc=example,dc=com">
      <tcpTransport port="60088" nbThreads="4" backLog="50"/>
      <udpTransport port="60088" nbThreads="4" backLog="50"/>


  <ldapServer ...


Here is a complete server.xml: server.xml

Optional: Logging

Configure debug level logging in

Restart the Server

Restart the server, you should see the following output:

Starting the Kerberos server
           _                     _          _  __ ____   ___    
          / \   _ __    ___  ___| |__   ___| |/ /|  _ \ / __|   
         / _ \ | '_ \ / _` |/ __| '_ \ / _ \ ' / | | | / /      
        / ___ \| |_) | (_| | (__| | | |  __/ . \ | |_| \ \__    
       /_/   \_\ .__/ \__,_|\___|_| |_|\___|_|\_\|____/ \___|   

[19:28:03] INFO [] - Kerberos service started.
Kerberos service started.
Kerberos server started

Load User Data

Load the following data into the server, e.g. using Apache Directory Studio: kdc-data.ldif

Note: The activated keyDerivationInterceptor automatically creates the krb5Key attributes:

Authenticate using kinit (Unix/Linux)

Make sure kinit is installed.

A minimal /etc/krb5.conf file looks as follows (make sure the port matches!):

        default_realm = EXAMPLE.COM

        EXAMPLE.COM = {
                kdc = localhost:60088

[domain_realm] = EXAMPLE.COM = EXAMPLE.COM

        krb4_convert = true
        krb4_get_tickets = false

Then try to authenticate, password is 'secret':

stefan@r61:~$ kinit hnelson@EXAMPLE.COM
Password for hnelson@EXAMPLE.COM:

stefan@r61:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: hnelson@EXAMPLE.COM

Valid starting     Expires            Service principal
08/04/09 19:54:22  08/05/09 19:54:21  krbtgt/EXAMPLE.COM@EXAMPLE.COM

Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached

