Tuesday, February 21, 2012

KDC server using ApacheDS 1.5.7

There is a nice work where author describes how to run KDC server using ApacheDS [1].
Problem is that with recent version of ApacheDS the step by step guide is not working, so let's present the fixes.

  1. On machines with dual TCP stack be aware of occasional localhost resoutions to ::1 which is IPv6 localhost. Therefore I have used localhost4 to be on a safe side
  2. Change server.xml of ApacheDS to include paEncTimestampRequired="false" attribute of kdcServer node.
    <kdcServer id="kdcServer" searchBaseDn="ou=Users,dc=example,dc=com" paEncTimestampRequired="false">
          <tcpTransport port="60088" nbThreads="4" backLog="50"/>
          <udpTransport port="60088" nbThreads="4" backLog="50"/>

  3. ldiff data should be modified using localhost4 as server ID.
    Last element will look like this:
    dn: uid=ldap,ou=Users,dc=example,dc=com
    objectClass: top
    objectClass: person
    objectClass: inetOrgPerson
    objectClass: krb5principal
    objectClass: krb5kdcentry
    cn: LDAP
    sn: Service
    uid: ldap
    userPassword: randall
    krb5PrincipalName: ldap/localhost4@EXAMPLE.COM
    krb5KeyVersionNumber: 0
  4. Your /etc/krb5.conf file can look like this:
            default_realm = EXAMPLE.COM
            EXAMPLE.COM = {
                    kdc = localhost:60088
            .example.com = EXAMPLE.COM
            example.com = EXAMPLE.COM

So, give it a try:
kinit hnelson@EXAMPLE.COM
Password for hnelson@EXAMPLE.COM: secret

Ticket cache: FILE:/tmp/krb5cc_12956
Default principal: hnelson@EXAMPLE.COM

Valid starting     Expires            Service principal
02/21/12 08:37:26  02/22/12 08:37:25  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 02/28/12 08:37:25

 Enjoy your KDC ;-)

[1] http://directory.apache.org/apacheds/1.5/543-kerberos-in-apacheds-155.html