You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by carlopmart <ca...@gmail.com> on 2007/10/17 16:33:28 UTC
Using local kerberos server with ApacheDS 1.5.1
Hi all,
Is it possible to use a local kerberos server to authenticate users using
ApacheDS as a repository id information like openldap does using sasl??
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Using local kerberos server with ApacheDS 1.5.1
Posted by carlopmart <ca...@gmail.com>.
Enrique Rodriguez wrote:
> On 10/20/07, carlopmart <ca...@gmail.com> wrote:
>> ...
>> Hi Enrique,
>>
>> I will try to explain my architecture. I have a RHEL5 Server with MIT kerberos
>> shipped with redhat and ApacheDS 1.5.1 on the same server.
>> ...
>
> This is not option #2. We do not have doco for setting this up,
> though it is certainly possible.
>
>> I have exported kerberos key using ktadd command on the server to
>> /etc/krb5.keytab file. Following howto, I have configured all except from point
>> 12 to end.
>>
>> When I try to do a ldapsearch, ApacheDS returns me an error that I don't have
>> authenticate and GSSAPI protocol it isn't allowed. This is my real problem: I
>> can't combine users information using ApacheDS and kerberos to autehnticate
>> users like under OpenLDAP+Kerberos can I do it....
>>
>> Is it possible to do this with ApacheDS??.
>
> This is possible, but not easy to do with ApacheDS. With OpenLDAP you
> export the LDAP server's service key to a keytab that the OpenLDAP
> server can read. With ApacheDS, you would need to export the key from
> the KDC and then read it into a principal entry in ApacheDS. There is
> code in kerberos-shared for reading from an MIT-formatted keytab file
> but then you would need to write a custom JNDI client routine to write
> the key material to the ApacheDS DIT. I've done this before so I know
> it works, but I don't believe we have any such example code checked
> in. If I get some time this coming weekend I can quickly write
> something up.
>
> Looking forward, I'd like to address this issue by upgrading the
> Change Password protocol to use the Change Password version 2 draft
> that is currently working its way through the IETF. Then you could
> use our Change Password client component to write keys to the DIT.
>
>> ...
>> And last question: IpAddr param doesn't works, correct?? I have tried to
>> assign localhost interface to port 10389 without luck.
>
> You should be able to change the port. IIRC, the server.xml attribute
> is ipPort.
>
> Enrique
>
Many thanks Enrique.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Using local kerberos server with ApacheDS 1.5.1
Posted by Enrique Rodriguez <en...@gmail.com>.
On 10/20/07, carlopmart <ca...@gmail.com> wrote:
> ...
> Hi Enrique,
>
> I will try to explain my architecture. I have a RHEL5 Server with MIT kerberos
> shipped with redhat and ApacheDS 1.5.1 on the same server.
> ...
This is not option #2. We do not have doco for setting this up,
though it is certainly possible.
> I have exported kerberos key using ktadd command on the server to
> /etc/krb5.keytab file. Following howto, I have configured all except from point
> 12 to end.
>
> When I try to do a ldapsearch, ApacheDS returns me an error that I don't have
> authenticate and GSSAPI protocol it isn't allowed. This is my real problem: I
> can't combine users information using ApacheDS and kerberos to autehnticate
> users like under OpenLDAP+Kerberos can I do it....
>
> Is it possible to do this with ApacheDS??.
This is possible, but not easy to do with ApacheDS. With OpenLDAP you
export the LDAP server's service key to a keytab that the OpenLDAP
server can read. With ApacheDS, you would need to export the key from
the KDC and then read it into a principal entry in ApacheDS. There is
code in kerberos-shared for reading from an MIT-formatted keytab file
but then you would need to write a custom JNDI client routine to write
the key material to the ApacheDS DIT. I've done this before so I know
it works, but I don't believe we have any such example code checked
in. If I get some time this coming weekend I can quickly write
something up.
Looking forward, I'd like to address this issue by upgrading the
Change Password protocol to use the Change Password version 2 draft
that is currently working its way through the IETF. Then you could
use our Change Password client component to write keys to the DIT.
> ...
> And last question: IpAddr param doesn't works, correct?? I have tried to
> assign localhost interface to port 10389 without luck.
You should be able to change the port. IIRC, the server.xml attribute
is ipPort.
Enrique
Re: Using local kerberos server with ApacheDS 1.5.1
Posted by carlopmart <ca...@gmail.com>.
Enrique Rodriguez wrote:
> On 10/19/07, carlopmart <ca...@gmail.com> wrote:
>> Enrique Rodriguez wrote:
>>> On 10/17/07, carlopmart <ca...@gmail.com> wrote:
>>>> ...
>>>> Is it possible to use a local kerberos server to authenticate users using
>>>> ApacheDS as a repository id information like openldap does using sasl??
>>> ...
>>> 2) If you want to use ApacheDS in a combined LDAP+Kerberos mode, you
>>> can combine the Kerberos provider and the LDAP SASL GSSAPI
>>> functionality using doco here:
>>>
>>> http://directory.apache.org/apacheds/1.5/howto-do-sasl-gssapi-authentication-to-apacheds.html
>> ...
>> Thanks for your answers. I am refering to option 2: using ApacheDS as LDAP
>> server and on the same server where kerberos stays. And ... doesn't works. I
>> have do it all of howto explains but ... why apacheds needs to use port 88 like
>> point 12 explains?? I don't understand it because I already have a kerberos
>> server ...
>
> With option #2, both the LDAP server and the Kerberos server are
> combined in ApacheDS. Can you clarify that you are using Kerberos
> from ApacheDS and not MIT Kerberos nor Active Directory?
>
> I ask because if you are using a Kerberos server external to ApacheDS
> then you need to export key material from that Kerberos server and
> import it into ApacheDS. With just ApacheDS for both LDAP and
> Kerberos they can share the key material internal to the server, so
> nothing needs to be exported & imported. Both MIT Kerberos and Active
> Directory have different procedures for exporting key material and I
> can point you to docs if this is what you are doing.
>
> ApacheDS doesn't need to use port 88 for Kerberos, but if you change
> the port ApacheDS uses for Kerberos then you need to change the port
> your Kerberos client expects the Kerberos server to be running on.
>
> With Kerberos and LDAP together in ApacheDS, the client-side still
> needs to use Kerberos to authenticate and to get a service ticket for
> the LDAP server. Once the client has used Kerberos to get a service
> ticket, the client can then use SASL GSSAPI with LDAP to perform LDAP
> operations.
>
> If you really are doing Option #2 with LDAP and Kerberos together in
> ApacheDS, then please double-check your hostname, name resolution, and
> reverse name resolution. Probably the #1 issue I see in LDAP SASL
> GSSAPI setups is that the hostname of the machine, the hostname in the
> hosts file or DNS, and the hostname in the LDAP principal do not
> match. You can see this on the wire using a sniffer.
>
> What errors are you seeing?
>
> Enrique
>
>
> Enrique
>
Hi Enrique,
I will try to explain my architecture. I have a RHEL5 Server with MIT kerberos
shipped with redhat and ApacheDS 1.5.1 on the same server.
I have exported kerberos key using ktadd command on the server to
/etc/krb5.keytab file. Following howto, I have configured all except from point
12 to end.
When I try to do a ldapsearch, ApacheDS returns me an error that I don't have
authenticate and GSSAPI protocol it isn't allowed. This is my real problem: I
can't combine users information using ApacheDS and kerberos to autehnticate
users like under OpenLDAP+Kerberos can I do it....
Is it possible to do this with ApacheDS??.
And last question: IpAddr param doesn't works, correct?? I have tried to
assign localhost interface to port 10389 without luck.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Using local kerberos server with ApacheDS 1.5.1
Posted by Enrique Rodriguez <en...@gmail.com>.
On 10/19/07, carlopmart <ca...@gmail.com> wrote:
> Enrique Rodriguez wrote:
> > On 10/17/07, carlopmart <ca...@gmail.com> wrote:
> >> ...
> >> Is it possible to use a local kerberos server to authenticate users using
> >> ApacheDS as a repository id information like openldap does using sasl??
> > ...
> > 2) If you want to use ApacheDS in a combined LDAP+Kerberos mode, you
> > can combine the Kerberos provider and the LDAP SASL GSSAPI
> > functionality using doco here:
> >
> > http://directory.apache.org/apacheds/1.5/howto-do-sasl-gssapi-authentication-to-apacheds.html
> ...
> Thanks for your answers. I am refering to option 2: using ApacheDS as LDAP
> server and on the same server where kerberos stays. And ... doesn't works. I
> have do it all of howto explains but ... why apacheds needs to use port 88 like
> point 12 explains?? I don't understand it because I already have a kerberos
> server ...
With option #2, both the LDAP server and the Kerberos server are
combined in ApacheDS. Can you clarify that you are using Kerberos
from ApacheDS and not MIT Kerberos nor Active Directory?
I ask because if you are using a Kerberos server external to ApacheDS
then you need to export key material from that Kerberos server and
import it into ApacheDS. With just ApacheDS for both LDAP and
Kerberos they can share the key material internal to the server, so
nothing needs to be exported & imported. Both MIT Kerberos and Active
Directory have different procedures for exporting key material and I
can point you to docs if this is what you are doing.
ApacheDS doesn't need to use port 88 for Kerberos, but if you change
the port ApacheDS uses for Kerberos then you need to change the port
your Kerberos client expects the Kerberos server to be running on.
With Kerberos and LDAP together in ApacheDS, the client-side still
needs to use Kerberos to authenticate and to get a service ticket for
the LDAP server. Once the client has used Kerberos to get a service
ticket, the client can then use SASL GSSAPI with LDAP to perform LDAP
operations.
If you really are doing Option #2 with LDAP and Kerberos together in
ApacheDS, then please double-check your hostname, name resolution, and
reverse name resolution. Probably the #1 issue I see in LDAP SASL
GSSAPI setups is that the hostname of the machine, the hostname in the
hosts file or DNS, and the hostname in the LDAP principal do not
match. You can see this on the wire using a sniffer.
What errors are you seeing?
Enrique
Enrique
Re: Using local kerberos server with ApacheDS 1.5.1
Posted by carlopmart <ca...@gmail.com>.
Enrique Rodriguez wrote:
> On 10/17/07, carlopmart <ca...@gmail.com> wrote:
>> Hi all,
>>
>> Is it possible to use a local kerberos server to authenticate users using
>> ApacheDS as a repository id information like openldap does using sasl??
>
> Hi,
>
> I'm not sure what the exact topology is that you're asking about.
> But, in any case, I think the answer is "yes."
>
> 1) If you want to use ApacheDS' Kerberos provider, there is doco
> under the INTEROP guide here. See "Using ApacheDS providing Kerberos
> Authentication ..." under:
>
> http://cwiki.apache.org/DIRxINTEROP/
>
> 2) If you want to use ApacheDS in a combined LDAP+Kerberos mode, you
> can combine the Kerberos provider and the LDAP SASL GSSAPI
> functionality using doco here:
>
> http://directory.apache.org/apacheds/1.5/howto-do-sasl-gssapi-authentication-to-apacheds.html
>
> 3) If you want to use ApacheDS as the Kerberos server but with
> OpenLDAP's SASL GSSAPI support, you can start with the doco here:
>
> http://cwiki.apache.org/DIRxINTEROP/kerberos-authentication-to-openldap-using-apacheds.html
>
> There are a number of other modes I've gotten things working in, like
> MIT Kerberos backed by LDAP or using Linux with PAM Kerberos or PAM
> LDAP. I may be able to point you in the right direction if the above
> links weren't what you were looking for.
>
> Enrique
>
Hi Enrique,
Thanks for your answers. I am refering to option 2: using ApacheDS as LDAP
server and on the same server where kerberos stays. And ... doesn't works. I
have do it all of howto explains but ... why apacheds needs to use port 88 like
point 12 explains?? I don't understand it because I already have a kerberos
server ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Using local kerberos server with ApacheDS 1.5.1
Posted by Enrique Rodriguez <en...@gmail.com>.
On 10/17/07, carlopmart <ca...@gmail.com> wrote:
> Hi all,
>
> Is it possible to use a local kerberos server to authenticate users using
> ApacheDS as a repository id information like openldap does using sasl??
Hi,
I'm not sure what the exact topology is that you're asking about.
But, in any case, I think the answer is "yes."
1) If you want to use ApacheDS' Kerberos provider, there is doco
under the INTEROP guide here. See "Using ApacheDS providing Kerberos
Authentication ..." under:
http://cwiki.apache.org/DIRxINTEROP/
2) If you want to use ApacheDS in a combined LDAP+Kerberos mode, you
can combine the Kerberos provider and the LDAP SASL GSSAPI
functionality using doco here:
http://directory.apache.org/apacheds/1.5/howto-do-sasl-gssapi-authentication-to-apacheds.html
3) If you want to use ApacheDS as the Kerberos server but with
OpenLDAP's SASL GSSAPI support, you can start with the doco here:
http://cwiki.apache.org/DIRxINTEROP/kerberos-authentication-to-openldap-using-apacheds.html
There are a number of other modes I've gotten things working in, like
MIT Kerberos backed by LDAP or using Linux with PAM Kerberos or PAM
LDAP. I may be able to point you in the right direction if the above
links weren't what you were looking for.
Enrique