Re: ApacheDS and and AD

[Enrique Rodriguez <en...@gmail.com>]

(Redirecting to ApacheDS dev list.)

On 6/30/07, azahur@yahoo.com <az...@yahoo.com> wrote:
> Hi Enrique,
> I have a starange problem. I want to use the ApacheDS and AD at the same time in my organization. But I want the ldap data store to be that of AD. Meaning, that all the users reside in the AD and the ApacheDS looksup the users in the AD datastore, and then the apache KDS issues TGTs accordingly. The apache realm and the AD realm are both configured for cross realm authentication
> Is it possible. Has anyone tried doing it.
> And I am currently supporting only Windows clients.
>
> Thanks
> Khan

Hi, Khan,

To use an LDAP store other than ApacheDS, you would need to implement
a different backend.  The relevant interface for the Kerberos protocol
is PrincipalStore.  You can look at the class JndiPrincipalStoreImpl
for an implementation of PrincipalStore that uses ApacheDS'
CoreContextFactory, which is our own internal JNDI initial context
factory.

You could provide your own implementation that instead of using
CoreContextFactory uses the Sun JNDI provider against any LDAP
backend.  In fact, this is how the Kerberos protocol was originally
written, with the backend as OpenLDAP before it was granted to the ASF
and combined into ApacheDS.

You can look here at the relevant classes:

http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/store/

I'm not sure why having cross-realm authentication matters, since it
sounds like all principals would be in one place, namely the AD DIT.

Enrique