On 4/23/07, CORUM, M E [AG/1000] <[EMAIL PROTECTED]> wrote:
... I now have 1.5 working with some basic (very basic) Kerberos stuff. I'm able from a JUnit test to log on and verify that a different account/user is valid. Before I go on to explain my next issue, I should explain what I'm trying to accomplish.
I'm happy to see you're progressing. I know the config is a bit convoluted but we have a better story in the works which will hopefully coincide with doco that isn't "hidden."
... we'd like to set up a test environment on our local machines that simulates AD as closely as possible for the purpose of this client code we are writing.
I would like to work closely with you to make Apache Directory "simulate AD as closely as possible" for purposes of "testing." ;) All kidding aside, this is interesting work, but I really need to focus on the "Realm Control Initiatives," since they are prerequisites for an actually useful Kerberos server. http://cwiki.apache.org/confluence/display/DIRxSBOX/Realm+Control+Initiatives
My next step after verifying accounts (which I can do now) against ApacheDS is to verify the SPNs. In Active Directory, an SPN is a "servicePrincipalName" attribute that can have a list of values (aliases) for the service that the account represents. When I try to add a "servicePrincipalName" to a user in my kerberos.ldif file (for loading on startup), the startup fails to load the ldif file with the following error: ...
Yeah, this is classic LDAP here. Instead of adding attributes to the schema we use for Kerberos it makes more sense to create a new schema and put the 200 or so AD attributes in there.
Can anybody help with adding an attribute to the schema or set of schemas that ApacheDS uses?
Numerous people here should be able to help with schema setup and probably there's some doco (I work off unit tests). The issue closer to home for me is getting the Kerberos protocol provider to work with SPN's since this requires a new store implementation against a different schema than the one we're using. But, it's straight forward JNDI programming. Stores aren't pluggable now but we have techniques for that. Enrique
