You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@directory.apache.org by wo...@gi-de.com on 2007/02/09 10:29:24 UTC

Kerberos-Authentication

Hallo,

I'm very new in ApacheDS and I'm trying to set up a demo-environment for 
evaluation.
First, the ApacheDS is running and the 'SevenSeas'-ldif example was 
successfully inserted in the DS.
Now we'd like to authententicate via JAAS 
(com.sun.security.auth.module.Krb5LoginModule).
We get an exception of missing krb5.ini in the C:/WINNT directory.
Does anyone know how the krb5.ini have to look like so that we can 
authenticate with Krb5LoginModule?
Unfortunately on the ApacheDS-Homepage (directory.apache.org) the 
Kerberos-Configuration is still empty.

I feel happy about any help.

With best regards

Wolfgang

Re: Kerberos-Authentication

Posted by Alex Karasulu <ak...@apache.org>.

wolfgang.schlosser@gi-de.com wrote:
> Hallo,
> 
> I'm very new in ApacheDS and I'm trying to set up a demo-environment for 
> evaluation.

Hi Wolfgang!

> First, the ApacheDS is running and the 'SevenSeas'-ldif example was 
> successfully inserted in the DS.
> Now we'd like to authententicate via JAAS 
> (com.sun.security.auth.module.Krb5LoginModule).

Ok you'll need to make sure that Kerberos is enabled in the server. 
This is accomplished by setting various XML elements in the server.xml 
file.  For example if you're setting up the realm EXAMPLE.COM under 
dc=example,dc=com you'll want these additional properties in your 
properties configuration section of the server.xml:

NOTE: this also configures changepw protocol too.

         <prop key="java.naming.security.authentication">simple</prop>
         <prop 
key="java.naming.security.principal">uid=admin,ou=system</prop>
         <prop key="java.naming.security.credentials">secret</prop>
         <prop key="java.naming.provider.url">dc=example,dc=com</prop>
         <prop key="kdc.primary.realm">EXAMPLE.COM</prop>
         <prop key="kdc.principal">krbtgt/EXAMPLE.COM@EXAMPLE.COM</prop>
         <prop key="kdc.encryption.types">des-cbc-md5 des3-cbc-sha1 
des3-cbc-md5 des-cbc-md4 des-cbc-crc</prop>
         <prop key="kdc.entryBaseDn">ou=users,dc=example,dc=com</prop>
         <prop key="kdc.java.naming.security.credentials">secret</prop>

         <prop key="changepw.entryBaseDn">ou=users,dc=example,dc=com</prop>
         <prop key="changepw.java.naming.security.credentials">secret</prop>
         <prop key="changepw.principal">kadmin/changepw@EXAMPLE.COM</prop>

         <!-- OPTIONAL: All times are in minutes -->
         <prop key="kdc.allowable.clockskew">5</prop>
         <prop key="kdc.tgs.maximum.ticket.lifetime">1440</prop>
         <prop key="kdc.tgs.maximum.renewable.lifetime">10080</prop>
         <prop key="kdc.pa.enc.timestamp.required">true</prop>
         <prop key="kdc.tgs.empty.addresses.allowed">true</prop>
         <prop key="kdc.tgs.forwardable.allowed">true</prop>
         <prop key="kdc.tgs.proxiable.allowed">true</prop>
         <prop key="kdc.tgs.postdate.allowed">true</prop>
         <prop key="kdc.tgs.renewable.allowed">true</prop>
       </props>
     </property>

> We get an exception of missing krb5.ini in the C:/WINNT directory.
> Does anyone know how the krb5.ini have to look like so that we can 
> authenticate with Krb5LoginModule?

The information you're looking for is available here under the section 
for windows:

   http://cwiki.apache.org/DIRxTRIPLESEC/os-kerberos-configuration.html

> Unfortunately on the ApacheDS-Homepage (directory.apache.org) the 
> Kerberos-Configuration is still empty.

Sorry for this inconvenience.  The site is under construction and we 
intend to get that shortly.

> I feel happy about any help.

Hope this helps.  Please come back to us if you have any other needs.

Alex

Re: Kerberos-Authentication

Posted by Alex Karasulu <ak...@apache.org>.

One more thing Wolfgang which I forgot to mention.

You'll want to add the following to the server.xml as well under the 
id="configuration" element:

     <property name="enableKerberos"><value>true</value></property>
     <property name="enableChangePassword"><value>true</value></property>
     <property name="ldifFilters">
       <list>
         <bean 
class="org.apache.directory.server.protocol.shared.store.Krb5KdcEntryFilter"/>
       </list>
     </property>

You can add test uses to be loaded on startup by specifying either an 
LDIF directory or ldif file to be loaded using the following property 
again in the id="configuration" section:

     <property name="ldifDirectory">
       <value>example.ldif</value>
     </property>

Presently our configuration stinks but we'll improve this gradually with 
more feedback from our users.

Regards,
Alex