Enrique, I now have SPNs and UPNs working. It turned out that they were just attributes. I did have to add the objectCategory class but so far it has gone well. I also have a query working to find out the members of a group (had to add the AD-specific "group" attribute but "member" was already there.) I'm now working on testing my client for getting a list of attributes for the user/account and for adding users to groups.
MikeC -----Original Message----- From: Enrique Rodriguez [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 24, 2007 10:12 PM To: [email protected] Subject: Re: [ApacheDS] 1.5 Kerberos Support and Custom Attribute in Schema On 4/23/07, CORUM, M E [AG/1000] <[EMAIL PROTECTED]> wrote: > ... > I now have 1.5 working with some basic (very basic) Kerberos stuff. I'm > able from a JUnit test to log on and verify that a different > account/user is valid. Before I go on to explain my next issue, I > should explain what I'm trying to accomplish. I'm happy to see you're progressing. I know the config is a bit convoluted but we have a better story in the works which will hopefully coincide with doco that isn't "hidden." > ... we'd like to set up a test environment on our > local machines that simulates AD as closely as possible for the purpose > of this client code we are writing. I would like to work closely with you to make Apache Directory "simulate AD as closely as possible" for purposes of "testing." ;) All kidding aside, this is interesting work, but I really need to focus on the "Realm Control Initiatives," since they are prerequisites for an actually useful Kerberos server. http://cwiki.apache.org/confluence/display/DIRxSBOX/Realm+Control+Initia tives > My next step after verifying accounts (which I can do now) against > ApacheDS is to verify the SPNs. In Active Directory, an SPN is a > "servicePrincipalName" attribute that can have a list of values > (aliases) for the service that the account represents. When I try to > add a "servicePrincipalName" to a user in my kerberos.ldif file (for > loading on startup), the startup fails to load the ldif file with the > following error: > ... Yeah, this is classic LDAP here. Instead of adding attributes to the schema we use for Kerberos it makes more sense to create a new schema and put the 200 or so AD attributes in there. > Can anybody help with adding an attribute to the schema or set of > schemas that ApacheDS uses? Numerous people here should be able to help with schema setup and probably there's some doco (I work off unit tests). The issue closer to home for me is getting the Kerberos protocol provider to work with SPN's since this requires a new store implementation against a different schema than the one we're using. But, it's straight forward JNDI programming. Stores aren't pluggable now but we have techniques for that. Enrique --------------------------------------------------------------------------------------------------------- This e-mail message may contain privileged and/or confidential information, and is intended to be received only by persons entitled to receive such information. If you have received this e-mail in error, please notify the sender immediately. Please delete it and all attachments from any servers, hard drives or any other media. Other use of this e-mail by you is strictly prohibited. All e-mails and attachments sent and received are subject to monitoring, reading and archival by Monsanto. The recipient of this e-mail is solely responsible for checking for the presence of "Viruses" or other "Malware". Monsanto accepts no liability for any damage caused by any such code transmitted by or accompanying this e-mail or any attachment. ---------------------------------------------------------------------------------------------------------
