Return-Path: 
 <dev-return-32604-apmail-directory-dev-archive=directory.apache.org@directory.apache.org>
Delivered-To: apmail-directory-dev-archive@www.apache.org
Received: (qmail 92248 invoked from network); 29 Jan 2010 13:18:46 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 29 Jan 2010 13:18:46 -0000
Received: (qmail 18670 invoked by uid 500); 29 Jan 2010 13:18:46 -0000
Delivered-To: apmail-directory-dev-archive@directory.apache.org
Received: (qmail 18585 invoked by uid 500); 29 Jan 2010 13:18:45 -0000
Mailing-List: contact dev-help@directory.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@directory.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@directory.apache.org>
List-Post: <mailto:dev@directory.apache.org>
List-Id: <dev.directory.apache.org>
Reply-To: "Apache Directory Developers List" <dev@directory.apache.org>
Delivered-To: mailing list dev@directory.apache.org
Received: (qmail 18577 invoked by uid 99); 29 Jan 2010 13:18:45 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 29 Jan 2010 13:18:45 +0000
X-ASF-Spam-Status: No, hits=2.2 required=10.0
	tests=HTML_MESSAGE,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of amilasuriarachchi@gmail.com
 designates 209.85.222.201 as permitted sender)
Received: from [209.85.222.201] (HELO mail-pz0-f201.google.com)
 (209.85.222.201)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 29 Jan 2010 13:18:37 +0000
Received: by pzk39 with SMTP id 39so1413160pzk.15
        for <dev@directory.apache.org>; Fri, 29 Jan 2010 05:18:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:in-reply-to:references
         :date:message-id:subject:from:to:content-type;
        bh=YPwJ7xBOMPR/Yg2KfvUamusFpSf8Ihm2x6A7aS2mGR8=;
        b=jGjBZmqqjGn8nNaK2vDvv6x2sOMw/witNvQsSyjlzdWxRqFwNaN8gxv52aMCLRirnE
         N8ZrcO8u1WOTscYClvBgYRNaC+mc7o3rLs5+MHASc8BbuhXGGW2NkycEEoTLRYoFtaLu
         uvS9yxCNmKgMHbVrtXdtwEEFj+HVOwhSE4mWY=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        b=XFBhF68cDsao0MgoBfXkVrRiCb3UjrWEgqt655PVFzW2/P9UTznhf6OLwFoFNIKDmx
         Ts5OIUlkOL5Vey6dPiH3DtvFV4vJYKJ0Mu1U0qVg+ndhrpqyzGbzYa3Ij63y3SnUgHXG
         Kc7PCBnFUVUqm3/TQJHxNd/O6Ycd/vMgFuqu0=
MIME-Version: 1.0
Received: by 10.142.55.3 with SMTP id d3mr572033wfa.273.1264771093681;
 Fri, 29
	Jan 2010 05:18:13 -0800 (PST)
In-Reply-To: <4B62AD78.1060704@apache.org>
References: <60708f4b1001290022v20e0b9eal97bc662f14b955c@mail.gmail.com>
	 <4B62AD78.1060704@apache.org>
Date: Fri, 29 Jan 2010 18:48:13 +0530
Message-ID: <60708f4b1001290518g2a54ccb5id25ef3e44874e81b@mail.gmail.com>
Subject: Re: Configuring Apache Directory studio with kerberos
From: Amila Suriarachchi <amilasuriarachchi@gmail.com>
To: Apache Directory Developers List <dev@directory.apache.org>
Content-Type: multipart/alternative; boundary=00504502be7ec2d7d0047e4d7754
X-Virus-Checked: Checked by ClamAV on apache.org

--00504502be7ec2d7d0047e4d7754
Content-Type: text/plain; charset=ISO-8859-1

hi,

thanks for reply.

I tried to do the authentication with the following values. (after following
the given tutorial )

Bind DN or user : hnelson@EXAMPLE.COM
Bind Password : secret

At kerborose settings

set : Obtain TGT from KDC
set : Use Native System Configuration

Then tried to Authenticate and got the following exception at client side

The authentication failed
 - Request: 1 cancelled
  javax.naming.CommunicationException: Request: 1 cancelled
    at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:60)
    at com.sun.jndi.ldap.Connection.readReply(Connection.java:411)
    at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:340)
    at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:108)
    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2667)
    at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2575)
    at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2549)
    at com.sun.jndi.ldap.LdapCtx.reconnect(LdapCtx.java:2545)
    at
javax.naming.ldap.InitialLdapContext.reconnect(InitialLdapContext.java:173)
    at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$8.run(JNDIConnectionWrapper.java:1165)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:337)
    at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doGssapiBind(JNDIConnectionWrapper.java:1159)
    at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.access$700(JNDIConnectionWrapper.java:106)
    at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$7.run(JNDIConnectionWrapper.java:1041)
    at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1272)
    at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doBind(JNDIConnectionWrapper.java:1065)
    at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.bind(JNDIConnectionWrapper.java:254)
    at
org.apache.directory.studio.connection.core.jobs.CheckBindRunnable.run(CheckBindRunnable.java:80)
    at
org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:123)
    at
org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)

  Request: 1 cancelled

And following at server side.

[18:41:16] WARN
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
Additional pre-authentication required (25)
[18:41:16] WARN
[org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] -
No server entry found for kerberos principal name ldap/localhost@EXAMPLE.COM
[18:41:16] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] -
Unexpected exception forcing session to close: sending disconnect notice to
client.
java.lang.NullPointerException
    at
org.apache.directory.server.kerberos.shared.store.operations.GetPrincipal.getEntry(GetPrincipal.java:97)
    at
org.apache.directory.server.kerberos.shared.store.operations.GetPrincipal.execute(GetPrincipal.java:81)
    at
org.apache.directory.server.ldap.handlers.bind.gssapi.GssapiMechanismHandler.findPrincipal(GssapiMechanismHandler.java:174)
    at
org.apache.directory.server.ldap.handlers.bind.gssapi.GssapiMechanismHandler.getSubject(GssapiMechanismHandler.java:136)
    at
org.apache.directory.server.ldap.handlers.bind.gssapi.GssapiMechanismHandler.handleMechanism(GssapiMechanismHandler.java:66)
    at
org.apache.directory.server.ldap.handlers.BindHandler.handleSaslAuth(BindHandler.java:539)
    at
org.apache.directory.server.ldap.handlers.BindHandler.handle(BindHandler.java:594)
    at
org.apache.directory.server.ldap.handlers.BindHandler.handle(BindHandler.java:61)
    at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:162)
    at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
    at
org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:232)
    at
org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:194)
    at
org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:721)
    at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:433)
    at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
    at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:801)
    at
org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:71)
    at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
    at
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:480)
    at
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:434)
    at java.lang.Thread.run(Thread.java:619)

What could be the reason?

thanks,
Amila.

On Fri, Jan 29, 2010 at 3:12 PM, Stefan Seelmann <seelmann@apache.org>wrote:

> Amila Suriarachchi wrote:
>
>> I could successfully run the following[1] tutorial with Apacheds 1.5.5.
>> But this uses kinit as the login tool.
>> Can I do the same thing with Apache Directory studio?
>>
>
> Yes, you could use Kerberos/GSSAPI to authenticate to the ApacheDS LDAP
> service. You have two options:
>
> If you use kinit and obtained a TGT from the ApacheDS Kerberos server you
> have real single-sign-on. You just need to select 'GSSAPI (Kerberos)' as
> authentication method for your connection [2] and you don't need to
> authenticate again.
>
> Alternatively you could select 'Obtail TGT from KDC'. With that option you
> need to provide the username and password to get a new TGT from the Kerberos
> server. But note that this TGT can only be used within Studio, for accessing
> the LDAP server.
>
> Kind Regards,
> Stefan
>
>
> [2]
> http://directory.apache.org/studio/static/users_guide/ldap_browser/tools_connection_properties.html
>
>


-- 
Amila Suriarachchi
WSO2 Inc.
blog: http://amilachinthaka.blogspot.com/

--00504502be7ec2d7d0047e4d7754
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

hi,<br><br>thanks for reply.<br><br>I tried to do the authentication with t=
he following values. (after following the given tutorial )<br><br>Bind DN o=
r user : <a href=3D"mailto:hnelson@EXAMPLE.COM">hnelson@EXAMPLE.COM</a><br>
Bind Password : secret<br><br>At kerborose settings<br><br>set : Obtain TGT=
 from KDC<br>set : Use Native System Configuration<br><br>Then tried to Aut=
henticate and got the following exception at client side<br><br>The authent=
ication failed<br>
=A0- Request: 1 cancelled<br>=A0 javax.naming.CommunicationException: Reque=
st: 1 cancelled<br>=A0=A0=A0 at com.sun.jndi.ldap.LdapRequest.getReplyBer(L=
dapRequest.java:60)<br>=A0=A0=A0 at com.sun.jndi.ldap.Connection.readReply(=
Connection.java:411)<br>
=A0=A0=A0 at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:340)<br>=
=A0=A0=A0 at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:108)<br=
>=A0=A0=A0 at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214=
)<br>=A0=A0=A0 at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2667)<br>
=A0=A0=A0 at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2575)<br>=A0=
=A0=A0 at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2549)<br>=A0=A0=
=A0 at com.sun.jndi.ldap.LdapCtx.reconnect(LdapCtx.java:2545)<br>=A0=A0=A0 =
at javax.naming.ldap.InitialLdapContext.reconnect(InitialLdapContext.java:1=
73)<br>
=A0=A0=A0 at org.apache.directory.studio.connection.core.io.jndi.JNDIConnec=
tionWrapper$8.run(JNDIConnectionWrapper.java:1165)<br>=A0=A0=A0 at java.sec=
urity.AccessController.doPrivileged(Native Method)<br>=A0=A0=A0 at javax.se=
curity.auth.Subject.doAs(Subject.java:337)<br>
=A0=A0=A0 at org.apache.directory.studio.connection.core.io.jndi.JNDIConnec=
tionWrapper.doGssapiBind(JNDIConnectionWrapper.java:1159)<br>=A0=A0=A0 at o=
rg.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.ac=
cess$700(JNDIConnectionWrapper.java:106)<br>
=A0=A0=A0 at org.apache.directory.studio.connection.core.io.jndi.JNDIConnec=
tionWrapper$7.run(JNDIConnectionWrapper.java:1041)<br>=A0=A0=A0 at org.apac=
he.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMon=
itor(JNDIConnectionWrapper.java:1272)<br>
=A0=A0=A0 at org.apache.directory.studio.connection.core.io.jndi.JNDIConnec=
tionWrapper.doBind(JNDIConnectionWrapper.java:1065)<br>=A0=A0=A0 at org.apa=
che.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.bind(JND=
IConnectionWrapper.java:254)<br>
=A0=A0=A0 at org.apache.directory.studio.connection.core.jobs.CheckBindRunn=
able.run(CheckBindRunnable.java:80)<br>=A0=A0=A0 at org.apache.directory.st=
udio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:1=
23)<br>=A0=A0=A0 at org.eclipse.jface.operation.ModalContext$ModalContextTh=
read.run(ModalContext.java:121)<br>
<br>=A0 Request: 1 cancelled<br><br>And following at server side.<br><br>[1=
8:41:16] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtoc=
olHandler] - Additional pre-authentication required (25)<br>[18:41:16] WARN=
 [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] =
- No server entry found for kerberos principal name ldap/<a href=3D"mailto:=
localhost@EXAMPLE.COM">localhost@EXAMPLE.COM</a><br>
[18:41:16] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] - Un=
expected exception forcing session to close: sending disconnect notice to c=
lient.<br>java.lang.NullPointerException<br>=A0=A0=A0 at org.apache.directo=
ry.server.kerberos.shared.store.operations.GetPrincipal.getEntry(GetPrincip=
al.java:97)<br>
=A0=A0=A0 at org.apache.directory.server.kerberos.shared.store.operations.G=
etPrincipal.execute(GetPrincipal.java:81)<br>=A0=A0=A0 at org.apache.direct=
ory.server.ldap.handlers.bind.gssapi.GssapiMechanismHandler.findPrincipal(G=
ssapiMechanismHandler.java:174)<br>
=A0=A0=A0 at org.apache.directory.server.ldap.handlers.bind.gssapi.GssapiMe=
chanismHandler.getSubject(GssapiMechanismHandler.java:136)<br>=A0=A0=A0 at =
org.apache.directory.server.ldap.handlers.bind.gssapi.GssapiMechanismHandle=
r.handleMechanism(GssapiMechanismHandler.java:66)<br>
=A0=A0=A0 at org.apache.directory.server.ldap.handlers.BindHandler.handleSa=
slAuth(BindHandler.java:539)<br>=A0=A0=A0 at org.apache.directory.server.ld=
ap.handlers.BindHandler.handle(BindHandler.java:594)<br>=A0=A0=A0 at org.ap=
ache.directory.server.ldap.handlers.BindHandler.handle(BindHandler.java:61)=
<br>
=A0=A0=A0 at org.apache.directory.server.ldap.handlers.LdapRequestHandler.h=
andleMessage(LdapRequestHandler.java:162)<br>=A0=A0=A0 at org.apache.direct=
ory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandle=
r.java:56)<br>
=A0=A0=A0 at org.apache.mina.handler.demux.DemuxingIoHandler.messageReceive=
d(DemuxingIoHandler.java:232)<br>=A0=A0=A0 at org.apache.directory.server.l=
dap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:194)<br>=
=A0=A0=A0 at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilt=
er.messageReceived(DefaultIoFilterChain.java:721)<br>
=A0=A0=A0 at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNext=
MessageReceived(DefaultIoFilterChain.java:433)<br>=A0=A0=A0 at org.apache.m=
ina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.=
java:47)<br>
=A0=A0=A0 at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImp=
l$1.messageReceived(DefaultIoFilterChain.java:801)<br>=A0=A0=A0 at org.apac=
he.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:71)<br>=A0=
=A0=A0 at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)<br>
=A0=A0=A0 at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Wo=
rker.runTask(UnorderedThreadPoolExecutor.java:480)<br>=A0=A0=A0 at org.apac=
he.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThr=
eadPoolExecutor.java:434)<br>
=A0=A0=A0 at java.lang.Thread.run(Thread.java:619)<br><br>What could be the=
 reason?<br><br>thanks,<br>Amila.<br><br><div class=3D"gmail_quote">On Fri,=
 Jan 29, 2010 at 3:12 PM, Stefan Seelmann <span dir=3D"ltr">&lt;<a href=3D"=
mailto:seelmann@apache.org">seelmann@apache.org</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class=3D"im"=
>Amila Suriarachchi wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I could successfully run the following[1] tutorial with Apacheds 1.5.5. But=
 this uses kinit as the login tool.<br>
Can I do the same thing with Apache Directory studio?<br>
</blockquote>
<br></div>
Yes, you could use Kerberos/GSSAPI to authenticate to the ApacheDS LDAP ser=
vice. You have two options:<br>
<br>
If you use kinit and obtained a TGT from the ApacheDS Kerberos server you h=
ave real single-sign-on. You just need to select &#39;GSSAPI (Kerberos)&#39=
; as authentication method for your connection [2] and you don&#39;t need t=
o authenticate again.<br>

<br>
Alternatively you could select &#39;Obtail TGT from KDC&#39;. With that opt=
ion you need to provide the username and password to get a new TGT from the=
 Kerberos server. But note that this TGT can only be used within Studio, fo=
r accessing the LDAP server.<br>

<br>
Kind Regards,<br>
Stefan<br>
<br>
<br>
[2]<a href=3D"http://directory.apache.org/studio/static/users_guide/ldap_br=
owser/tools_connection_properties.html" target=3D"_blank">http://directory.=
apache.org/studio/static/users_guide/ldap_browser/tools_connection_properti=
es.html</a><br>

<br>
</blockquote></div><br><br clear=3D"all"><br>-- <br>Amila Suriarachchi<br>W=
SO2 Inc.<br>blog: <a href=3D"http://amilachinthaka.blogspot.com/">http://am=
ilachinthaka.blogspot.com/</a><br>

--00504502be7ec2d7d0047e4d7754--