OpenDJ to store Kerberos principals

OpenDJ community logoLately I’ve been head down working mainly on the OpenAM core documentation here at ForgeRock as we work towards OpenAM 10.

But I took some time out recently to set up OpenDJ directory server to store Kerberos principals. The example I wrote up is with MIT Kerberos on CentOS 6. Everything was on one VM for that example, so it’s fairly simple to try.

One thing I’m still scratching my head about is how to get the /etc/init.d scripts working for the Kerberos daemons. If I don’t start the daemons on the command line, they won’t run. Suggestions appreciated.

5 thoughts on “OpenDJ to store Kerberos principals

  1. Hi Mark,

    I just did this to, looking to setup OpenDj Kerberos authentication, while Unix naming stored in a different branch/Directory. As a test to try looking at having AD (auth) + OpenDJ user information. The problem I had with the Kerberos scripts was I used a high port for OpenDJ (1636), same for you? That breaks the SeLinux setup. Quick hack is to run…

    setenforce 0

    The proper fix is to add the port to the Kerberos module of SeLinux ( or run on 636). i ‘ve not done that yet. I was going to post to a blog of my howto but I’m sure your write up will be much better 🙂 I can send you a copy of my howto if you’d like?


    1. Thanks. I’ll have a look at this, and would much appreciate a link to your howto.

      You’re welcome to take whatever you find useful in mine, too. (I’m pretty sure the content on the ForgeRock wiki is all supposed to be under Creative Commons CC-BY-SA.)


  2. Don’t know SELinux really, yet.
    The `setenforce 0` workaround does work fine for me.

    Thinking it would be nice not to have to disable SELinux. I have tried this:
    # yum install policycoreutils-python
    # semanage port -a -t ldap_port_t -p tcp 1636
    # semanage port -a -t ldap_port_t -p tcp 1389
    # semanage port -a -t ldap_port_t -p udp 1636
    # semanage port -a -t ldap_port_t -p udp 1389
    But I’m still missing something, finding the same error in the krb5kdc log when I try to start the service:
    “krb5kdc: Can’t contact LDAP server – while initializing database for realm EXAMPLE.COM”

    1. My setup looks like…

      semanage port -l | grep 1636
      ldap_port_t tcp 1636, 389, 636, 3268
      ldap_port_t udp 389, 636

      You can also look in “/var/log/audit/audit.log’ for any selinux errors on startup.

      Errors can be convert to something readable by running (from setroubleshoot-server package for me) …

      sealert -a /var/log/audit/audit.log > /tmp/err


  3. Thanks again, Matt. Tried all this again at home on a cleaner VM.
    Turns out it works, so thanks very much. I’ve updated the Wiki entry.
    Only difference for me with what you saw was, because I’d made mistakes before, I had old Kerberos files in /var/tmp that were preventing the daemons from starting.


    BTW, Kerberos daemons /etc/init.d scripts don’t have them starting by default for any run level, at least not in the minimal Desktop install I used on my VMs.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s