directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "CORUM, M E [AG/1000]" <>
Subject RE: [ApacheDS] 1.5 Experience and Kerberos (any Kerberos experts out there?)
Date Mon, 23 Apr 2007 15:46:47 GMT

(Just an aside on the issue of not being able to load the ldif file on
startup in Windows.  It appears to be somehow related to the filename
itself.  I found that if the ldif filename started with "ad", then the
weird parsing took place and it always failed.  Perhaps this is an issue
that only occurs on Windows.)

Since I was trying to do Kerberos anyway, I found that
kerberos-example.ldif file and modified it for my environment.  I was
able to get it loaded.  I am using a different domain than
so I'm wondering if something in the server is hard-coded to  I had lots of trouble getting it to recognize anything
other than  I do have a partition matching my new domain
and was able to load the file from the startup and verify the entries in

Now, here is my next problem.  In my test code, I'm using JAAS with a
callbackhandler to just shove in a password (rather than using a keytab)
since all of this is just for test code.  I'm trying to figure out what
value I need to provide for the userid (principal) from JAAS code.  For
now, I use userid@MY.DOMAIN.COM with the appropriate values of course.
When I do this, it fails with the following message in the IDE:

[ERROR] Mon Apr 23 10:33:02 CDT 2007 jcsi.kerberos: login failed:
Kerberos error creating ticket: Integrity checked on decrypted
field failed (Integrity check on decrypted field failed) Kerberos error creating
ticket: Integrity checked on
decrypted field failed (Integrity check on decrypted field failed)

Since the log file is set to INFO in the log4j properties file, all I
get is:

[10:33:01] ERROR
- Additional pre-authentication required
[10:33:02] ERROR
- Integrity check on decrypted field failed

I don't know what to do from here.  I'm using the exact same password
for all my users and it is the one I'm providing.  I'm using the
ldifFilters entry in server.xml to invoke Krb5KdcEntryFilter on loading
the users in the file so the krb5key and userPassword are set.  I
checked that in JXplorer and they are there.  So, I'm thinking I'll turn

Now, here is the bad part.  When I switch to have DEBUG
as the log level, the server WON'T START!  Bummer!  Here is the error
message I get trying to start the server with DEBUG as the log level
(this worked in 1.0.1 by the way):

[10:16:39] DEBUG
] - registered normalizer with oid:
[10:16:39] ERROR [] - Failed on, String[])
java.lang.ArrayIndexOutOfBoundsException: 0
	at java.lang.String.valueOf(Unknown Source)
	at java.lang.StringBuilder.append(Unknown Source)
	at javax.naming.spi.NamingManager.getInitialContext(Unknown
	at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
	at javax.naming.InitialContext.init(Unknown Source)
	at javax.naming.InitialContext.<init>(Unknown Source)

When I flip back to INFO, the server starts fine but I can't get the
deep details in the log.

Can anybody help?

By the way, I'm wondering if the default algorithm for the key is
different.  I'm on Windows and use to using 23.  I noticed that the
Krb5EncryptionType is 3 rather than 23 in the directory so I'll look
into that to see if that is my problem with Kerberos.


This e-mail message may contain privileged and/or confidential information, and is intended
to be received only by persons entitled to receive such information. If you have received
this e-mail in error, please notify the sender immediately. Please delete it and all attachments
from any servers, hard drives or any other media. Other use of this e-mail by you is strictly

All e-mails and attachments sent and received are subject to monitoring, reading and archival
by Monsanto. The recipient of this e-mail is solely responsible for checking for the presence
of "Viruses" or other "Malware". Monsanto accepts no liability for any damage caused by any
such code transmitted by or accompanying this e-mail or any attachment.

View raw message