Hello, I am currently testing our Kerberos support in the WildFly application server, the latest versions of Java 8 and 11 have added support for RFC-6806 so I am just looking to see if it is possible to use ApacheDS to test out some scenarios.
Presently I have two realms up and running using ApacheDS Studio, my users are in the ELYTRON.ORG realm and my services are in the LADYBIRD.ELYTRON.ORG realm. This part is all working, I can use kinit for the user to obtain a ticket from the ELYTRON.ORG realm and subsequently due to the hierarchy in the name the service ticket is obtained from LADYBIRD.ELYTRON.ORG. The next part I am trying to reproduce is a user sending an AS-REQ to the ELYTRON.ORG KDC with the "canonicalize" option set and receive a KDC_ERR_WRONG_REALM error referring to the LADYBIRD.ELYTRON.ORG. Really the sequence described in section 7 "Client referrals" of RFC-6806: https://tools.ietf.org/html/rfc6806#page-9 Is there a way to define an entry in ApacheDS for the user that will result in this referral or some other way to enable the ELYTRON.ORG realm to refer the AS-REQ to LADYBIRD.ELYTRON.ORG Thanks for any help. Regards, Darran Lofthouse.
