On 10/19/07, carlopmart <[EMAIL PROTECTED]> wrote: > Enrique Rodriguez wrote: > > On 10/17/07, carlopmart <[EMAIL PROTECTED]> wrote: > >> ... > >> Is it possible to use a local kerberos server to authenticate users using > >> ApacheDS as a repository id information like openldap does using sasl?? > > ... > > 2) If you want to use ApacheDS in a combined LDAP+Kerberos mode, you > > can combine the Kerberos provider and the LDAP SASL GSSAPI > > functionality using doco here: > > > > http://directory.apache.org/apacheds/1.5/howto-do-sasl-gssapi-authentication-to-apacheds.html > ... > Thanks for your answers. I am refering to option 2: using ApacheDS as LDAP > server and on the same server where kerberos stays. And ... doesn't works. I > have do it all of howto explains but ... why apacheds needs to use port 88 > like > point 12 explains?? I don't understand it because I already have a kerberos > server ...
With option #2, both the LDAP server and the Kerberos server are combined in ApacheDS. Can you clarify that you are using Kerberos from ApacheDS and not MIT Kerberos nor Active Directory? I ask because if you are using a Kerberos server external to ApacheDS then you need to export key material from that Kerberos server and import it into ApacheDS. With just ApacheDS for both LDAP and Kerberos they can share the key material internal to the server, so nothing needs to be exported & imported. Both MIT Kerberos and Active Directory have different procedures for exporting key material and I can point you to docs if this is what you are doing. ApacheDS doesn't need to use port 88 for Kerberos, but if you change the port ApacheDS uses for Kerberos then you need to change the port your Kerberos client expects the Kerberos server to be running on. With Kerberos and LDAP together in ApacheDS, the client-side still needs to use Kerberos to authenticate and to get a service ticket for the LDAP server. Once the client has used Kerberos to get a service ticket, the client can then use SASL GSSAPI with LDAP to perform LDAP operations. If you really are doing Option #2 with LDAP and Kerberos together in ApacheDS, then please double-check your hostname, name resolution, and reverse name resolution. Probably the #1 issue I see in LDAP SASL GSSAPI setups is that the hostname of the machine, the hostname in the hosts file or DNS, and the hostname in the LDAP principal do not match. You can see this on the wire using a sniffer. What errors are you seeing? Enrique Enrique
