directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Amila Suriarachchi <amilasuriarach...@gmail.com>
Subject Re: Configuring Apache Directory studio with kerberos
Date Fri, 29 Jan 2010 13:18:13 GMT
hi,

thanks for reply.

I tried to do the authentication with the following values. (after following
the given tutorial )

Bind DN or user : hnelson@EXAMPLE.COM
Bind Password : secret

At kerborose settings

set : Obtain TGT from KDC
set : Use Native System Configuration

Then tried to Authenticate and got the following exception at client side

The authentication failed
 - Request: 1 cancelled
  javax.naming.CommunicationException: Request: 1 cancelled
    at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:60)
    at com.sun.jndi.ldap.Connection.readReply(Connection.java:411)
    at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:340)
    at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:108)
    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2667)
    at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2575)
    at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2549)
    at com.sun.jndi.ldap.LdapCtx.reconnect(LdapCtx.java:2545)
    at
javax.naming.ldap.InitialLdapContext.reconnect(InitialLdapContext.java:173)
    at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$8.run(JNDIConnectionWrapper.java:1165)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:337)
    at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doGssapiBind(JNDIConnectionWrapper.java:1159)
    at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.access$700(JNDIConnectionWrapper.java:106)
    at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$7.run(JNDIConnectionWrapper.java:1041)
    at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1272)
    at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doBind(JNDIConnectionWrapper.java:1065)
    at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.bind(JNDIConnectionWrapper.java:254)
    at
org.apache.directory.studio.connection.core.jobs.CheckBindRunnable.run(CheckBindRunnable.java:80)
    at
org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:123)
    at
org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)

  Request: 1 cancelled

And following at server side.

[18:41:16] WARN
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
Additional pre-authentication required (25)
[18:41:16] WARN
[org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] -
No server entry found for kerberos principal name ldap/localhost@EXAMPLE.COM
[18:41:16] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] -
Unexpected exception forcing session to close: sending disconnect notice to
client.
java.lang.NullPointerException
    at
org.apache.directory.server.kerberos.shared.store.operations.GetPrincipal.getEntry(GetPrincipal.java:97)
    at
org.apache.directory.server.kerberos.shared.store.operations.GetPrincipal.execute(GetPrincipal.java:81)
    at
org.apache.directory.server.ldap.handlers.bind.gssapi.GssapiMechanismHandler.findPrincipal(GssapiMechanismHandler.java:174)
    at
org.apache.directory.server.ldap.handlers.bind.gssapi.GssapiMechanismHandler.getSubject(GssapiMechanismHandler.java:136)
    at
org.apache.directory.server.ldap.handlers.bind.gssapi.GssapiMechanismHandler.handleMechanism(GssapiMechanismHandler.java:66)
    at
org.apache.directory.server.ldap.handlers.BindHandler.handleSaslAuth(BindHandler.java:539)
    at
org.apache.directory.server.ldap.handlers.BindHandler.handle(BindHandler.java:594)
    at
org.apache.directory.server.ldap.handlers.BindHandler.handle(BindHandler.java:61)
    at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:162)
    at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
    at
org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:232)
    at
org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:194)
    at
org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:721)
    at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:433)
    at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
    at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:801)
    at
org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:71)
    at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
    at
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:480)
    at
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:434)
    at java.lang.Thread.run(Thread.java:619)

What could be the reason?

thanks,
Amila.

On Fri, Jan 29, 2010 at 3:12 PM, Stefan Seelmann <seelmann@apache.org>wrote:

> Amila Suriarachchi wrote:
>
>> I could successfully run the following[1] tutorial with Apacheds 1.5.5.
>> But this uses kinit as the login tool.
>> Can I do the same thing with Apache Directory studio?
>>
>
> Yes, you could use Kerberos/GSSAPI to authenticate to the ApacheDS LDAP
> service. You have two options:
>
> If you use kinit and obtained a TGT from the ApacheDS Kerberos server you
> have real single-sign-on. You just need to select 'GSSAPI (Kerberos)' as
> authentication method for your connection [2] and you don't need to
> authenticate again.
>
> Alternatively you could select 'Obtail TGT from KDC'. With that option you
> need to provide the username and password to get a new TGT from the Kerberos
> server. But note that this TGT can only be used within Studio, for accessing
> the LDAP server.
>
> Kind Regards,
> Stefan
>
>
> [2]
> http://directory.apache.org/studio/static/users_guide/ldap_browser/tools_connection_properties.html
>
>


-- 
Amila Suriarachchi
WSO2 Inc.
blog: http://amilachinthaka.blogspot.com/

Mime
View raw message