Enrique Rodriguez wrote:
On 10/20/07, carlopmart <[EMAIL PROTECTED]> wrote:
...
Hi Enrique,
I will try to explain my architecture. I have a RHEL5 Server with MIT kerberos
shipped with redhat and ApacheDS 1.5.1 on the same server.
...
This is not option #2. We do not have doco for setting this up,
though it is certainly possible.
I have exported kerberos key using ktadd command on the server to
/etc/krb5.keytab file. Following howto, I have configured all except from point
12 to end.
When I try to do a ldapsearch, ApacheDS returns me an error that I don't have
authenticate and GSSAPI protocol it isn't allowed. This is my real problem: I
can't combine users information using ApacheDS and kerberos to autehnticate
users like under OpenLDAP+Kerberos can I do it....
Is it possible to do this with ApacheDS??.
This is possible, but not easy to do with ApacheDS. With OpenLDAP you
export the LDAP server's service key to a keytab that the OpenLDAP
server can read. With ApacheDS, you would need to export the key from
the KDC and then read it into a principal entry in ApacheDS. There is
code in kerberos-shared for reading from an MIT-formatted keytab file
but then you would need to write a custom JNDI client routine to write
the key material to the ApacheDS DIT. I've done this before so I know
it works, but I don't believe we have any such example code checked
in. If I get some time this coming weekend I can quickly write
something up.
Looking forward, I'd like to address this issue by upgrading the
Change Password protocol to use the Change Password version 2 draft
that is currently working its way through the IETF. Then you could
use our Change Password client component to write keys to the DIT.
...
And last question: IpAddr param doesn't works, correct?? I have tried to
assign localhost interface to port 10389 without luck.
You should be able to change the port. IIRC, the server.xml attribute
is ipPort.
Enrique
Many thanks Enrique.
--
CL Martinez
carlopmart {at} gmail {d0t} com
