On 5/20/07, Keith Shu <[EMAIL PROTECTED]> wrote:
I've been tinkering with ApacheDS 1.5.1 for the past couple of weeks. I've had some success with the LDAP directory but I'm having problems configuring ApacheDS to perform Kerberos authentication.
Hi, Keith, Thanks for being an early adopter of ApacheDS Kerberos. I take it that since you are running 1.5.1 you are building from trunk?
I've not found any guides or tutorials available for kerberos configuration on apache DS. I might write one if I get it to work but I'm stuck. So far I've enabled kerberos and inserted some principals in the LDAP directory. I've tried testing using kinit and krb5LoginModule and I got as far as issuing the ticket but I got an exception encoding the ticket on the server side. (See below)
We are merging, this week, 2 branches which will address a number of issues with Kerberos. It would be great if you're building from trunk and could test again in a few days. I'll let you know when we've done the merges. Per your error, I suspect you may not have any keys for your user principals, which can currently only be added using the LDIF loader at startup or by LDAP if you really know what you're doing. One of the branches makes principal key generation a lot easier. A NullPointerException is bad in any case, so any details you can provide about your setup would be appreciated. In particular I'm curious about platform, krb5.conf (if any), and whether you are using UDP or TCP.
Is there a guide available for Kerberos on ApacheDS? Something step by step would be nice. Please help!
Between the 2 branches, configuration has changed and how you create principal keys is totally new. Sorry for the delay but we are in the middle of addressing many issues. Once the branches are in, we can revisit doco. For now, there is forward-looking documentation for the Kerberos protocol at: http://cwiki.apache.org/confluence/display/DIRxSRVx10/Kerberos+Protocol+Configuration "Before" refers to pre-1.5.1 while "After" is beta doco for 1.5.1. Also, there is a ton of uploaded notes in a raw form at: http://cwiki.apache.org/confluence/display/DIRxINTEROP/Index The intent is once these branches are in and how you configure ApacheDS Kerberos has stabilized, we can update the raw doco. HTH, Enrique
