Enrique Rodriguez wrote:
On 10/19/07, carlopmart <[EMAIL PROTECTED]> wrote:
Enrique Rodriguez wrote:
On 10/17/07, carlopmart <[EMAIL PROTECTED]> wrote:
...
Is it possible to use a local kerberos server to authenticate users using
ApacheDS as a repository id information like openldap does using sasl??
...
2) If you want to use ApacheDS in a combined LDAP+Kerberos mode, you
can combine the Kerberos provider and the LDAP SASL GSSAPI
functionality using doco here:
http://directory.apache.org/apacheds/1.5/howto-do-sasl-gssapi-authentication-to-apacheds.html
...
Thanks for your answers. I am refering to option 2: using ApacheDS as LDAP
server and on the same server where kerberos stays. And ... doesn't works. I
have do it all of howto explains but ... why apacheds needs to use port 88 like
point 12 explains?? I don't understand it because I already have a kerberos
server ...
With option #2, both the LDAP server and the Kerberos server are
combined in ApacheDS. Can you clarify that you are using Kerberos
from ApacheDS and not MIT Kerberos nor Active Directory?
I ask because if you are using a Kerberos server external to ApacheDS
then you need to export key material from that Kerberos server and
import it into ApacheDS. With just ApacheDS for both LDAP and
Kerberos they can share the key material internal to the server, so
nothing needs to be exported & imported. Both MIT Kerberos and Active
Directory have different procedures for exporting key material and I
can point you to docs if this is what you are doing.
ApacheDS doesn't need to use port 88 for Kerberos, but if you change
the port ApacheDS uses for Kerberos then you need to change the port
your Kerberos client expects the Kerberos server to be running on.
With Kerberos and LDAP together in ApacheDS, the client-side still
needs to use Kerberos to authenticate and to get a service ticket for
the LDAP server. Once the client has used Kerberos to get a service
ticket, the client can then use SASL GSSAPI with LDAP to perform LDAP
operations.
If you really are doing Option #2 with LDAP and Kerberos together in
ApacheDS, then please double-check your hostname, name resolution, and
reverse name resolution. Probably the #1 issue I see in LDAP SASL
GSSAPI setups is that the hostname of the machine, the hostname in the
hosts file or DNS, and the hostname in the LDAP principal do not
match. You can see this on the wire using a sniffer.
What errors are you seeing?
Enrique
Enrique
Hi Enrique,
I will try to explain my architecture. I have a RHEL5 Server with MIT kerberos
shipped with redhat and ApacheDS 1.5.1 on the same server.
I have exported kerberos key using ktadd command on the server to
/etc/krb5.keytab file. Following howto, I have configured all except from point
12 to end.
When I try to do a ldapsearch, ApacheDS returns me an error that I don't have
authenticate and GSSAPI protocol it isn't allowed. This is my real problem: I
can't combine users information using ApacheDS and kerberos to autehnticate
users like under OpenLDAP+Kerberos can I do it....
Is it possible to do this with ApacheDS??.
And last question: IpAddr param doesn't works, correct?? I have tried to
assign localhost interface to port 10389 without luck.
--
CL Martinez
carlopmart {at} gmail {d0t} com
