Re: Kerberos-Authentication

Fri, 09 Feb 2007 06:33:00 -0800 

[EMAIL PROTECTED] wrote:

Hallo,
I'm very new in ApacheDS and I'm trying to set up a demo-environment for evaluation. 

Hi Wolfgang!
First, the ApacheDS is running and the 'SevenSeas'-ldif example was successfully inserted in the DS. Now we'd like to authententicate via JAAS (com.sun.security.auth.module.Krb5LoginModule).
Ok you'll need to make sure that Kerberos is enabled in the server. This is accomplished by setting various XML elements in the server.xml file. For example if you're setting up the realm EXAMPLE.COM under dc=example,dc=com you'll want these additional properties in your properties configuration section of the server.xml: 

NOTE: this also configures changepw protocol too.

        <prop key="java.naming.security.authentication">simple</prop>
<prop key="java.naming.security.principal">uid=admin,ou=system</prop> 
        <prop key="java.naming.security.credentials">secret</prop>
        <prop key="java.naming.provider.url">dc=example,dc=com</prop>
        <prop key="kdc.primary.realm">EXAMPLE.COM</prop>
        <prop key="kdc.principal">krbtgt/[EMAIL PROTECTED]</prop>
<prop key="kdc.encryption.types">des-cbc-md5 des3-cbc-sha1 des3-cbc-md5 des-cbc-md4 des-cbc-crc</prop> 
        <prop key="kdc.entryBaseDn">ou=users,dc=example,dc=com</prop>
        <prop key="kdc.java.naming.security.credentials">secret</prop>

        <prop key="changepw.entryBaseDn">ou=users,dc=example,dc=com</prop>
        <prop key="changepw.java.naming.security.credentials">secret</prop>
        <prop key="changepw.principal">kadmin/[EMAIL PROTECTED]</prop>

        <!-- OPTIONAL: All times are in minutes -->
        <prop key="kdc.allowable.clockskew">5</prop>
        <prop key="kdc.tgs.maximum.ticket.lifetime">1440</prop>
        <prop key="kdc.tgs.maximum.renewable.lifetime">10080</prop>
        <prop key="kdc.pa.enc.timestamp.required">true</prop>
        <prop key="kdc.tgs.empty.addresses.allowed">true</prop>
        <prop key="kdc.tgs.forwardable.allowed">true</prop>
        <prop key="kdc.tgs.proxiable.allowed">true</prop>
        <prop key="kdc.tgs.postdate.allowed">true</prop>
        <prop key="kdc.tgs.renewable.allowed">true</prop>
      </props>
    </property>


We get an exception of missing krb5.ini in the C:/WINNT directory.
Does anyone know how the krb5.ini have to look like so that we can authenticate with Krb5LoginModule?
The information you're looking for is available here under the section for windows: 

  http://cwiki.apache.org/DIRxTRIPLESEC/os-kerberos-configuration.html
Unfortunately on the ApacheDS-Homepage (directory.apache.org) the Kerberos-Configuration is still empty.
Sorry for this inconvenience. The site is under construction and we intend to get that shortly. 


I feel happy about any help.


Hope this helps.  Please come back to us if you have any other needs.

Alex

Reply via email to