PADL Software Pty Ltd

PADL Software Pty Ltd


About PADL


Commercial Software

Contacting PADL


Open Source Software



Research and Development

Technical Support



Heimdal is a freely available implementation of the Kerberos V protocol. Heimdal can be downloaded from

PADL has contributed over14,000 lines of code to Heimdal, including:

  • Kerberos Credentials Manager (KCM)
  • Port of MIT Kerberos mechanism glue (mechglue)
  • GSS-API CFX and protected mechanism negotiation
  • RFC 2478bis (SPNEGO) mechanism
  • NetInfo configuration support
  • Dynamic loading of database backends
  • RFC 3244 (set password) server-side support
  • Windows 2000 interoperability fixes for public key initial authentication (PKINIT)


This document describes how to install the LDAP backend for Heimdal. Note that, before attempting to configure such an installation, you should be aware of the implications of storing private information (such as users' keys) in a directory service primarily designed for public information. Nonetheless, with a suitable authorization policy, it is possible to set this up in a secure fashion. A knowledge of LDAP, Kerberos, and C is necessary to install this backend. The HDB schema was devised by Leif Johansson.


  • A current release of Heimdal, configured with --with-openldap=/usr/local (adjust according to where you have installed OpenLDAP).
  • OpenLDAP 2.0.x. Configure OpenLDAP with --enable-local to enable the local transport. (A patch to support SASL EXTERNAL authentication is necessary in order to use OpenLDAP 2.1.x.)
  • The KDC LDAP schema, which is distributed with OpenLDAP

Configure the LDAP server ACLs to accept writes from clients over the local transport. For example:

access to *
        by sockurl="^ldapi:///$" write

Make sure you include the schema:

include /usr/local/etc/openldap/schema/krb5-kdc.schema

Start the slapd with the local listener (as well as the default TCP/IP listener on port 389) as follows:

    slapd -h "ldapi:/// ldap:///"

Note: These is a bug in slapd where it appears to corrupt the krb5Key binary attribute on shutdown. This may be related to our use of the V3 schema definition syntax instead of the old UMich-style, V2 syntax.

You should specify a the distinguished name under which your principals will be stored in krb5.conf:

        database = {
                dbname = ldap:ou=KerberosPrincpals,dc=padl,dc=com
                mkey_file = /path/to/mkey

Once you have built Heimdal and started the LDAP server, run kadmin (as usual) to initialize the database. Note that the instructions for stashing a master key are as per any Heimdal installation; you are encouraged to read the Heimdal documentation for further information.

kdc# kadmin -l
kadmin> init PADL.COM
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
kadmin> ank lukeh
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
lukeh@PADL.COM's Password:
Verifying password - lukeh@PADL.COM's Password:
kadmin> exit

Verify that the principal database has indeed been stored at the directory with the following command:

kdc# ldapsearch -L -h localhost -D cn=manager \
-w secret
-b ou=KerberosPrincipals,dc=padl,dc=com \

Home | Bugzilla

Copyright 1999-2014 PADL Software Pty Ltd ABN 16 085 895 585. All rights reserved.
PADL is a registered trademark of PADL Software Pty Ltd.