You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Keith Shu <ke...@nsys.com.my> on 2007/05/21 05:56:12 UTC
ApacheDS + Kerberos
I've been tinkering with ApacheDS 1.5.1 for the past couple of weeks.
I've had some success with the LDAP directory but I'm having problems
configuring ApacheDS to perform Kerberos authentication.
I've not found any guides or tutorials available for kerberos configuration
on apache DS. I might write one if I get it to work but I'm stuck. So far
I've enabled kerberos and inserted some principals in the LDAP directory.
I've tried testing using kinit and krb5LoginModule and I got as far as
issuing the ticket but I got an exception encoding the ticket on the server
side. (See below)
Is there a guide available for Kerberos on ApacheDS? Something step by step
would be nice. Please help!
Thanks
Keith
---
[15:44:50] ERROR
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/127.0.0.1:2127 EXCEPTION
org.apache.mina.filter.codec.ProtocolEncoderException:
java.lang.NullPointerException
at
org.apache.mina.filter.codec.ProtocolCodecFilter.filterWrite(ProtocolCodecFi
lter.java:241)
at
org.apache.mina.common.support.AbstractIoFilterChain.callPreviousFilterWrite
(AbstractIoFilterChain.java:445)
at
org.apache.mina.common.support.AbstractIoFilterChain.access$1500(AbstractIoF
ilterChain.java:54)
at
org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.filterWrite
(AbstractIoFilterChain.java:824)
at
org.apache.mina.filter.executor.ExecutorFilter.filterWrite(ExecutorFilter.ja
va:271)
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 269.7.1/807 - Release Date: 5/16/2007
6:05 PM
Re: ApacheDS + Kerberos
Posted by Enrique Rodriguez <en...@gmail.com>.
On 5/21/07, Enrique Rodriguez <en...@gmail.com> wrote:
> ...
> We are merging, this week, 2 branches which will address a number of
> issues with Kerberos. It would be great if you're building from trunk
> and could test again in a few days. I'll let you know when we've done
> the merges.
Hi, Keith,
We completed merging one of the 2 branches I mentioned. This branch
doesn't change configuration but it does fix some Kerberos issues and
I recommend trying it out. The main purpose of this branch was to add
aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, and des3-cbc-sha1-kd
encryption type support.
One or more encryption types can be listed in the encryption types
property, whitespace-delimited, first type on the left is most
preferred. For example, using pre-1.5.1 configuration:
<prop key="kdc.encryption.types">aes256-cts-hmac-sha1-96</prop>
... or ...
<prop key="kdc.encryption.types">aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 des3-cbc-sha1-kd des-cbc-md5</prop>
AES-256 requires the installation of "unlimited strength" policy,
available from your VM vendor. The policy is signed by the vendor so
you can't use the same policy files on different vendors' VMs, ie for
Sun download Sun policy, for IBM download IBM policy.
Enrique
Re: ApacheDS + Kerberos
Posted by Enrique Rodriguez <en...@gmail.com>.
On 5/20/07, Keith Shu <ke...@nsys.com.my> wrote:
> I've been tinkering with ApacheDS 1.5.1 for the past couple of weeks.
> I've had some success with the LDAP directory but I'm having problems
> configuring ApacheDS to perform Kerberos authentication.
Hi, Keith,
Thanks for being an early adopter of ApacheDS Kerberos. I take it
that since you are running 1.5.1 you are building from trunk?
> I've not found any guides or tutorials available for kerberos configuration
> on apache DS. I might write one if I get it to work but I'm stuck. So far
> I've enabled kerberos and inserted some principals in the LDAP directory.
> I've tried testing using kinit and krb5LoginModule and I got as far as
> issuing the ticket but I got an exception encoding the ticket on the server
> side. (See below)
We are merging, this week, 2 branches which will address a number of
issues with Kerberos. It would be great if you're building from trunk
and could test again in a few days. I'll let you know when we've done
the merges.
Per your error, I suspect you may not have any keys for your user
principals, which can currently only be added using the LDIF loader at
startup or by LDAP if you really know what you're doing. One of the
branches makes principal key generation a lot easier. A
NullPointerException is bad in any case, so any details you can
provide about your setup would be appreciated. In particular I'm
curious about platform, krb5.conf (if any), and whether you are using
UDP or TCP.
> Is there a guide available for Kerberos on ApacheDS? Something step by step
> would be nice. Please help!
Between the 2 branches, configuration has changed and how you create
principal keys is totally new. Sorry for the delay but we are in the
middle of addressing many issues. Once the branches are in, we can
revisit doco. For now, there is forward-looking documentation for the
Kerberos protocol at:
http://cwiki.apache.org/confluence/display/DIRxSRVx10/Kerberos+Protocol+Configuration
"Before" refers to pre-1.5.1 while "After" is beta doco for 1.5.1.
Also, there is a ton of uploaded notes in a raw form at:
http://cwiki.apache.org/confluence/display/DIRxINTEROP/Index
The intent is once these branches are in and how you configure
ApacheDS Kerberos has stabilized, we can update the raw doco.
HTH,
Enrique