directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aleksandar Vidakovic <spa...@gmx.net>
Subject Kerberos configuration with wrong user DN...
Date Mon, 14 Jan 2008 20:05:41 GMT
Salut all,

I'm trying to configure ApacheDS as a Kerberos server and used the
article under
http://cwiki.apache.org/DIRxINTEROP/kerberos-authentication-to-openldap-using-apacheds.html
as a reference.

I started with the "example.com" example and modified it later to my
needs. When I start ApacheDS with my modifications (only the domain and
user DN changed) no users can be found when I try to connect with:

kinit -k ldap/ldap.nviasms.eu@NVIASMS.EU

I am pretty sure that my LDAP configuration is OK. What I don't
understand is the content of the log file (see below). Obviously
something tries to search users under "ou=users,dc=example,dc=com" and I
am not sure if this is a mistake caused by the client or a wrong
ApacheDS configuration (my basedn is "dc=nviasms,dc=eu").

I already tried to delete ApacheDS's output directory and did a restart,
but I have still the same effect. And I created of course a new kerberos
keytab file after modifying the server.xml configuration, but somehow
the "example.com" configuration still exists.

Is there some sort of cache that I'm not seeing? Does anyone know if
this is caused by a wrong configuration on the server or the client side?

Thanks in advance for your help.

Cheers,

Aleks


[20:38:20] DEBUG
[org.apache.directory.server.kerberos.kdc.MonitorRequest] - Received
Authentication Service (AS) request:
        messageType:           initial authentication request (10)
        protocolVersionNumber: 5
        clientAddress:         127.0.1.1
        nonce:                 1200339500
        kdcOptions:            RENEWABLE_OK
        clientPrincipal:       ldap/ldap.nviasms.eu@NVIASMS.EU
        serverPrincipal:       krbtgt/NVIASMS.EU@NVIASMS.EU
        encryptionType:        aes256-cts-hmac-sha1-96 (18),
aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), rc4-hmac (23),
des-cbc-crc (1), des-cbc-md5 (3), des-cbc-md4 (2)
        realm:                 NVIASMS.EU
        from time:             20080114193820Z
        till time:             20080115193820Z
        renew-till time:       null
        hostAddresses:         null
[20:38:20] DEBUG
[org.apache.directory.server.kerberos.kdc.SelectEncryptionType] -
Session will use encryption type des-cbc-md5 (3).
[20:38:20] DEBUG
[org.apache.directory.server.core.authn.AuthenticationService] - Bind
operation. bindDn: uid=admin,ou=system
[20:38:20] DEBUG
[org.apache.directory.server.core.authn.AuthenticationService] - bind:
principal: null
[20:38:20] DEBUG
[org.apache.directory.server.core.authn.SimpleAuthenticator] -
Authenticating 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
[20:38:20] DEBUG
[org.apache.directory.server.core.authn.SimpleAuthenticator] -
0.9.2342.19200300.100.1.1=admin,2.5.4.11=system Authenticated
[20:38:20] DEBUG
[org.apache.directory.server.core.authn.AuthenticationService] - Testing
if entry name = 'ou=users,dc=example,dc=com' exists
[20:38:20] DEBUG
[org.apache.directory.server.core.partition.DefaultPartitionNexus] -
Check if DN
'2.5.4.11=users,0.9.2342.19200300.100.1.25=example,0.9.2342.19200300.100.1.25=com'
exists.
[20:38:20] WARN
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Client not found in Kerberos database (6)
org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
Client not found in Kerberos database
        at
org.apache.directory.server.kerberos.shared.service.GetPrincipalStoreEntry.getEntry(GetPrincipalStoreEntry.java:62)
        at
org.apache.directory.server.kerberos.kdc.authentication.GetClientEntry.execute(GetClientEntry.java:44)
        at
org.apache.mina.handler.chain.IoHandlerChain.callNextCommand(IoHandlerChain.java:201)
        at
org.apache.mina.handler.chain.IoHandlerChain.access$500(IoHandlerChain.java:36)
        at
org.apache.mina.handler.chain.IoHandlerChain$Entry$1.execute(IoHandlerChain.java:317)
        at
org.apache.directory.server.kerberos.kdc.SelectEncryptionType.execute(SelectEncryptionType.java:62)
        at
org.apache.mina.handler.chain.IoHandlerChain.callNextCommand(IoHandlerChain.java:201)
        at
org.apache.mina.handler.chain.IoHandlerChain.access$500(IoHandlerChain.java:36)
        at
org.apache.mina.handler.chain.IoHandlerChain$Entry$1.execute(IoHandlerChain.java:317)
        at
org.apache.directory.server.kerberos.kdc.authentication.ConfigureAuthenticationChain.execute(ConfigureAuthenticationChain.java:56)
        at
org.apache.mina.handler.chain.IoHandlerChain.callNextCommand(IoHandlerChain.java:201)
        at
org.apache.mina.handler.chain.IoHandlerChain.access$500(IoHandlerChain.java:36)
        at
org.apache.mina.handler.chain.IoHandlerChain$Entry$1.execute(IoHandlerChain.java:317)
        at
org.apache.directory.server.kerberos.kdc.MonitorRequest.execute(MonitorRequest.java:93)
        at
org.apache.mina.handler.chain.IoHandlerChain.callNextCommand(IoHandlerChain.java:201)
        at
org.apache.mina.handler.chain.IoHandlerChain.access$500(IoHandlerChain.java:36)
        at
org.apache.mina.handler.chain.IoHandlerChain$Entry$1.execute(IoHandlerChain.java:317)
        at
org.apache.mina.handler.chain.IoHandlerChain$1.execute(IoHandlerChain.java:63)
        at
org.apache.mina.handler.chain.IoHandlerChain.callNextCommand(IoHandlerChain.java:201)
        at
org.apache.mina.handler.chain.IoHandlerChain.execute(IoHandlerChain.java:193)
        at
org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:162)
        at
org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived(AbstractIoFilterChain.java:570)
        at
org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
        at
org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
        at
org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
        at
org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:220)
        at
org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:264)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:650)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)
        at java.lang.Thread.run(Thread.java:595)
Caused by:
org.apache.directory.server.protocol.shared.ServiceConfigurationException:
Failed to get initial context ou=users,dc=example,dc=com
        at
org.apache.directory.server.kerberos.shared.store.SingleBaseSearch.execute(SingleBaseSearch.java:109)
        at
org.apache.directory.server.kerberos.shared.store.SingleBaseSearch.getPrincipal(SingleBaseSearch.java:88)
        at
org.apache.directory.server.kerberos.shared.store.JndiPrincipalStoreImpl.getPrincipal(JndiPrincipalStoreImpl.java:84)
        at
org.apache.directory.server.kerberos.shared.service.GetPrincipalStoreEntry.getEntry(GetPrincipalStoreEntry.java:58)
        ... 29 more
Caused by:
org.apache.directory.shared.ldap.exception.LdapNameNotFoundException:
ou=users,dc=example,dc=com
        at
org.apache.directory.server.core.partition.DefaultPartitionNexus.getPartition(DefaultPartitionNexus.java:1114)
        at
org.apache.directory.server.core.partition.DefaultPartitionNexus.hasEntry(DefaultPartitionNexus.java:1035)
        at
org.apache.directory.server.core.interceptor.InterceptorChain$1.hasEntry(InterceptorChain.java:165)
        at
org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.hasEntry(InterceptorChain.java:1310)
        at
org.apache.directory.server.core.interceptor.BaseInterceptor.hasEntry(BaseInterceptor.java:148)
        at
org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.hasEntry(InterceptorChain.java:1310)
        at
org.apache.directory.server.core.interceptor.BaseInterceptor.hasEntry(BaseInterceptor.java:148)
        at
org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.hasEntry(InterceptorChain.java:1310)
        at
org.apache.directory.server.core.interceptor.BaseInterceptor.hasEntry(BaseInterceptor.java:148)
        at
org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.hasEntry(InterceptorChain.java:1310)
        at
org.apache.directory.server.core.exception.ExceptionService.assertHasEntry(ExceptionService.java:565)
        at
org.apache.directory.server.core.exception.ExceptionService.lookup(ExceptionService.java:291)
        at
org.apache.directory.server.core.interceptor.InterceptorChain.lookup(InterceptorChain.java:902)
        at
org.apache.directory.server.core.partition.PartitionNexusProxy.lookup(PartitionNexusProxy.java:546)
        at
org.apache.directory.server.core.authz.AuthorizationService.hasEntry(AuthorizationService.java:619)
        at
org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.hasEntry(InterceptorChain.java:1310)
        at
org.apache.directory.server.core.interceptor.BaseInterceptor.hasEntry(BaseInterceptor.java:148)
        at
org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.hasEntry(InterceptorChain.java:1310)
        at
org.apache.directory.server.core.authn.AuthenticationService.hasEntry(AuthenticationService.java:327)
        at
org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.hasEntry(InterceptorChain.java:1310)
        at
org.apache.directory.server.core.normalization.NormalizationService.hasEntry(NormalizationService.java:356)
        at
org.apache.directory.server.core.interceptor.InterceptorChain.hasEntry(InterceptorChain.java:924)
        at
org.apache.directory.server.core.partition.PartitionNexusProxy.hasEntry(PartitionNexusProxy.java:568)
        at
org.apache.directory.server.core.partition.PartitionNexusProxy.hasEntry(PartitionNexusProxy.java:556)
        at
org.apache.directory.server.core.jndi.ServerContext.<init>(ServerContext.java:163)
        at
org.apache.directory.server.core.jndi.ServerDirContext.<init>(ServerDirContext.java:88)
        at
org.apache.directory.server.core.jndi.ServerLdapContext.<init>(ServerLdapContext.java:63)
        at
org.apache.directory.server.core.DefaultDirectoryService.getJndiContext(DefaultDirectoryService.java:195)
        at
org.apache.directory.server.core.jndi.AbstractContextFactory.getInitialContext(AbstractContextFactory.java:147)
        at
org.apache.directory.server.kerberos.shared.store.SingleBaseSearch.execute(SingleBaseSearch.java:104)
        ... 32 more
[20:38:20] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Responding to request with error:
        explanatory text:      Client not found in Kerberos database
        error code:            6
        clientPrincipal:       null
        client time:           20080114193820Z
        serverPrincipal:       krbtgt/EXAMPLE.COM@EXAMPLE.COM
        server time:           null
[20:38:20] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- /127.0.1.1:32907 SENT:
org.apache.directory.server.kerberos.shared.messages.ErrorMessage@705d28
[20:38:20] DEBUG [org.apache.mina.filter.executor.ExecutorFilter] -
Exiting since queue is empty for /127.0.1.1:32907
[

Mime
View raw message