directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "CORUM, M E [AG/1000]" <m.e.co...@monsanto.com>
Subject RE: [ApacheDS] 1.5 Experience and Kerberos (any Kerberos experts out there?)
Date Mon, 23 Apr 2007 15:46:47 GMT

(Just an aside on the issue of not being able to load the ldif file on
startup in Windows.  It appears to be somehow related to the filename
itself.  I found that if the ldif filename started with "ad", then the
weird parsing took place and it always failed.  Perhaps this is an issue
that only occurs on Windows.)

Since I was trying to do Kerberos anyway, I found that
kerberos-example.ldif file and modified it for my environment.  I was
able to get it loaded.  I am using a different domain than example.com
so I'm wondering if something in the server is hard-coded to
example.com.  I had lots of trouble getting it to recognize anything
other than example.com.  I do have a partition matching my new domain
and was able to load the file from the startup and verify the entries in
JXplorer.

Now, here is my next problem.  In my test code, I'm using JAAS with a
callbackhandler to just shove in a password (rather than using a keytab)
since all of this is just for test code.  I'm trying to figure out what
value I need to provide for the userid (principal) from JAAS code.  For
now, I use userid@MY.DOMAIN.COM with the appropriate values of course.
When I do this, it fails with the following message in the IDE:

[ERROR] Mon Apr 23 10:33:02 CDT 2007 jcsi.kerberos: login failed:
Kerberos error creating ticket:
com.dstc.security.kerberos.KerberosError: Integrity checked on decrypted
field failed (Integrity check on decrypted field failed)

javax.security.auth.login.LoginException: Kerberos error creating
ticket: com.dstc.security.kerberos.KerberosError: Integrity checked on
decrypted field failed (Integrity check on decrypted field failed)

Since the log file is set to INFO in the log4j properties file, all I
get is:

[10:33:01] ERROR
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Additional pre-authentication required
[10:33:02] ERROR
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Integrity check on decrypted field failed

I don't know what to do from here.  I'm using the exact same password
for all my users and it is the one I'm providing.  I'm using the
ldifFilters entry in server.xml to invoke Krb5KdcEntryFilter on loading
the users in the file so the krb5key and userPassword are set.  I
checked that in JXplorer and they are there.  So, I'm thinking I'll turn
on DEBUG.

Now, here is the bad part.  When I switch log4j.properties to have DEBUG
as the log level, the server WON'T START!  Bummer!  Here is the error
message I get trying to start the server with DEBUG as the log level
(this worked in 1.0.1 by the way):

[10:16:39] DEBUG
[org.apache.directory.server.schema.registries.DefaultNormalizerRegistry
] - registered normalizer with oid: 1.3.6.1.4.1.18060.0.4.1.1.1
[10:16:39] ERROR [org.apache.directory.daemon.Bootstrapper] - Failed on
org.apache.directory.server.Service.init(InstallationLayout, String[])
java.lang.ArrayIndexOutOfBoundsException: 0
	at
org.apache.directory.shared.ldap.schema.AbstractSchemaObject.toString(Ab
stractSchemaObject.java:320)
	at java.lang.String.valueOf(Unknown Source)
	at java.lang.StringBuilder.append(Unknown Source)
	at
org.apache.directory.server.schema.registries.DefaultSyntaxRegistry.regi
ster(DefaultSyntaxRegistry.java:110)
	at
org.apache.directory.server.core.schema.PartitionSchemaLoader.loadSyntax
es(PartitionSchemaLoader.java:654)
	at
org.apache.directory.server.core.schema.PartitionSchemaLoader.load(Parti
tionSchemaLoader.java:348)
	at
org.apache.directory.server.schema.registries.AbstractSchemaLoader.loadD
epsFirst(AbstractSchemaLoader.java:107)
	at
org.apache.directory.server.schema.registries.AbstractSchemaLoader.loadD
epsFirst(AbstractSchemaLoader.java:143)
	at
org.apache.directory.server.schema.registries.AbstractSchemaLoader.loadD
epsFirst(AbstractSchemaLoader.java:143)
	at
org.apache.directory.server.core.schema.PartitionSchemaLoader.loadWithDe
pendencies(PartitionSchemaLoader.java:320)
	at
org.apache.directory.server.core.schema.PartitionSchemaLoader.loadEnable
d(PartitionSchemaLoader.java:222)
	at
org.apache.directory.server.core.DefaultDirectoryService.initialize(Defa
ultDirectoryService.java:914)
	at
org.apache.directory.server.core.DefaultDirectoryService.startup(Default
DirectoryService.java:254)
	at
org.apache.directory.server.core.jndi.AbstractContextFactory.getInitialC
ontext(AbstractContextFactory.java:118)
	at javax.naming.spi.NamingManager.getInitialContext(Unknown
Source)
	at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
	at javax.naming.InitialContext.init(Unknown Source)
	at javax.naming.InitialContext.<init>(Unknown Source)
	at javax.naming.directory.InitialDirContext.<init>(Unknown
Source)
	at org.apache.directory.server.Service.init(Service.java:96)
	at
org.apache.directory.daemon.Bootstrapper.callInit(Bootstrapper.java:151)
	at
org.apache.directory.daemon.ProcrunBootstrapper.prunsrvStart(ProcrunBoot
strapper.java:65)

When I flip back to INFO, the server starts fine but I can't get the
deep details in the log.

Can anybody help?

By the way, I'm wondering if the default algorithm for the key is
different.  I'm on Windows and use to using 23.  I noticed that the
Krb5EncryptionType is 3 rather than 23 in the directory so I'll look
into that to see if that is my problem with Kerberos.

MikeC



---------------------------------------------------------------------------------------------------------
This e-mail message may contain privileged and/or confidential information, and is intended
to be received only by persons entitled to receive such information. If you have received
this e-mail in error, please notify the sender immediately. Please delete it and all attachments
from any servers, hard drives or any other media. Other use of this e-mail by you is strictly
prohibited.


All e-mails and attachments sent and received are subject to monitoring, reading and archival
by Monsanto. The recipient of this e-mail is solely responsible for checking for the presence
of "Viruses" or other "Malware". Monsanto accepts no liability for any damage caused by any
such code transmitted by or accompanying this e-mail or any attachment.
---------------------------------------------------------------------------------------------------------


Mime
View raw message