A random collection of posts

ApacheDS With MIT Kerberos: Fail


My next step after switching to Kerberos for user authentication is to use LDAP as backend for user accounts. The ApacheDS project looked like a good candidate: Written in Java and accompanied by a sophisticated LDAP client yields a generous up front credit.

A primary requirement is Kerberos integration and I expected good support for Kerberos because apacheds advertises an integrated Kerberos KDC and SASL/GSSAPI support.

Lack of documentation

Although setting up apacheds 1.5 is not complicated as such, it gets complicated by the either terse or missing or — even worse — subtly wrong documentation.

After my fruitless search for instructions on how to import the keytab file I switched over to the real documentation: the code. It seems that the Keytab class is only used in unit tests. A few minutes of internet research backed my suspicion: Unfortunately it is not supported to use an external KDC for user authentication. Bad luck.

ApacheDS as KDC

As a quick sidenote: using ApacheDS as KDC might not be what you want. There is no documented way to create and export a keytab with a random key. To quote from the wiki

Because key export for ApacheDS is currently (10-JUN-2007) under heavy development, we won’t export keys for this example. Instead, we’ll take advantage of the fact that key derivation algorithms are standardized and we’ll create a keytab based on the LDAP service principal from the LDIF we imported.


I will keep an eye on apacheds because I see potential. I have to admit: The possibility to embed a complete LDAP server in my own applications is exciting. Unfortunately apacheds does not meet the requirements as my LDAP server.

Next stop: OpenDS.