On 10/20/07, carlopmart <[EMAIL PROTECTED]> wrote: > ... > Hi Enrique, > > I will try to explain my architecture. I have a RHEL5 Server with MIT > kerberos > shipped with redhat and ApacheDS 1.5.1 on the same server. > ...
This is not option #2. We do not have doco for setting this up, though it is certainly possible. > I have exported kerberos key using ktadd command on the server to > /etc/krb5.keytab file. Following howto, I have configured all except from > point > 12 to end. > > When I try to do a ldapsearch, ApacheDS returns me an error that I don't > have > authenticate and GSSAPI protocol it isn't allowed. This is my real problem: I > can't combine users information using ApacheDS and kerberos to autehnticate > users like under OpenLDAP+Kerberos can I do it.... > > Is it possible to do this with ApacheDS??. This is possible, but not easy to do with ApacheDS. With OpenLDAP you export the LDAP server's service key to a keytab that the OpenLDAP server can read. With ApacheDS, you would need to export the key from the KDC and then read it into a principal entry in ApacheDS. There is code in kerberos-shared for reading from an MIT-formatted keytab file but then you would need to write a custom JNDI client routine to write the key material to the ApacheDS DIT. I've done this before so I know it works, but I don't believe we have any such example code checked in. If I get some time this coming weekend I can quickly write something up. Looking forward, I'd like to address this issue by upgrading the Change Password protocol to use the Change Password version 2 draft that is currently working its way through the IETF. Then you could use our Change Password client component to write keys to the DIT. > ... > And last question: IpAddr param doesn't works, correct?? I have tried to > assign localhost interface to port 10389 without luck. You should be able to change the port. IIRC, the server.xml attribute is ipPort. Enrique
