My next step after switching to Kerberos for user authentication is to use LDAP as backend for user accounts. The ApacheDS project looked like a good candidate: Written in Java and accompanied by a sophisticated LDAP client yields a generous up front credit.
A primary requirement is Kerberos integration and I expected good support for Kerberos because
apacheds advertises an integrated Kerberos KDC and SASL/GSSAPI support.
Lack of documentation
Although setting up
apacheds 1.5 is not complicated as such, it gets complicated by the either terse or missing or — even worse — subtly wrong documentation.
After my fruitless search for instructions on how to import the keytab file I switched over to the real documentation: the code. It seems that the
Keytab class is only used in unit tests. A few minutes of internet research backed my suspicion: Unfortunately it is not supported to use an external KDC for user authentication. Bad luck.
ApacheDS as KDC
As a quick sidenote: using ApacheDS as KDC might not be what you want. There is no documented way to create and export a keytab with a random key. To quote from the wiki
Because key export for ApacheDS is currently (10-JUN-2007) under heavy development, we won’t export keys for this example. Instead, we’ll take advantage of the fact that key derivation algorithms are standardized and we’ll create a keytab based on the LDAP service principal from the LDIF we imported.
I will keep an eye on
apacheds because I see potential. I have to admit: The possibility to embed a complete LDAP server in my own applications is exciting. Unfortunately
apacheds does not meet the requirements as my LDAP server.