Problem is that with recent version of ApacheDS the step by step guide is not working, so let's present the fixes.
- On machines with dual TCP stack be aware of occasional localhost resoutions to ::1 which is IPv6 localhost. Therefore I have used localhost4 to be on a safe side
- Change server.xml of ApacheDS to include paEncTimestampRequired="false" attribute of kdcServer node.
<kdcServer id="kdcServer" searchBaseDn="ou=Users,dc=example,dc=com" paEncTimestampRequired="false">
<transports>
<tcpTransport port="60088" nbThreads="4" backLog="50"/>
<udpTransport port="60088" nbThreads="4" backLog="50"/>
</transports>
<directoryService>#directoryService</directoryService>
</kdcServer>
- ldiff data should be modified using localhost4 as server ID.
Last element will look like this:dn: uid=ldap,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: LDAP
sn: Service
uid: ldap
userPassword: randall
krb5PrincipalName: ldap/localhost4@EXAMPLE.COM
krb5KeyVersionNumber: 0 - Your /etc/krb5.conf file can look like this:
[libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = localhost:60088 } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM
So, give it a try:
kinit hnelson@EXAMPLE.COM
Password for hnelson@EXAMPLE.COM: secret
klist
Ticket cache: FILE:/tmp/krb5cc_12956
Default principal: hnelson@EXAMPLE.COM
Valid starting Expires Service principal
02/21/12 08:37:26 02/22/12 08:37:25 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 02/28/12 08:37:25
Enjoy your KDC ;-)
[1] http://directory.apache.org/apacheds/1.5/543-kerberos-in-apacheds-155.html
No comments:
Post a Comment