directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aleksandar Vidakovic <spa...@gmx.net>
Subject Re: Kerberos configuration with wrong user DN...
Date Tue, 15 Jan 2008 11:26:12 GMT
Salut Emmanuel,

sorry to bother you again... but the change didn't help. There are two
things that I don't understand in the log files...

First I see this:

[log]

[12:11:13] DEBUG
[org.apache.directory.server.kerberos.kdc.MonitorRequest] - Received
Authentication Service (AS) request:
        messageType:           initial authentication request (10)
        protocolVersionNumber: 5
        clientAddress:         127.0.1.1
        nonce:                 1200395473
        kdcOptions:            RENEWABLE_OK
        clientPrincipal:       ldap/ldap.nviasms.eu@NVIASMS.EU
        serverPrincipal:       krbtgt/NVIASMS.EU@NVIASMS.EU
        encryptionType:        aes256-cts-hmac-sha1-96 (18),
aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), rc4-hmac (23),
des-cbc-crc (1), des-cbc-md5 (3), des-cbc-md4 (2)
        realm:                 NVIASMS.EU
        from time:             20080115111113Z
        till time:             20080116111113Z
        renew-till time:       null
        hostAddresses:         null
[12:11:13] DEBUG
[org.apache.directory.server.kerberos.kdc.SelectEncryptionType] -
Session will use encryption type des-cbc-md5 (3).
[12:11:13] DEBUG
[org.apache.directory.server.core.authn.AuthenticationService] - Bind
operation. bindDn: uid=admin,ou=system
[12:11:13] DEBUG
[org.apache.directory.server.core.authn.AuthenticationService] - bind:
principal: null
[12:11:13] DEBUG
[org.apache.directory.server.core.authn.SimpleAuthenticator] -
Authenticating 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
[12:11:13] DEBUG
[org.apache.directory.server.core.authn.SimpleAuthenticator] -
0.9.2342.19200300.100.1.1=admin,2.5.4.11=system Authenticated
[12:11:13] DEBUG
[org.apache.directory.server.core.authn.AuthenticationService] - Testing
if entry name = 'ou=users,dc=example,dc=com' exists
[12:11:13] DEBUG
[org.apache.directory.server.core.partition.DefaultPartitionNexus] -
Check if DN
'2.5.4.11=users,0.9.2342.19200300.100.1.25=example,0.9.2342.19200300.100.1.25=com'
exists.
[12:11:13] WARN
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Client not found in Kerberos database (6)
org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
Client not found in Kerberos database
        at
org.apache.directory.server.kerberos.shared.service.GetPrincipalStoreEntry.getEntry(GetPrincipalStoreEntry.java:62)
        at

...

[/log]

As I understand it this means that the client is sending the right
information and something is badly configured on the ApacheDS side. Right?

And then a little bit further I see this:

[log]

        at
org.apache.directory.server.kerberos.shared.store.SingleBaseSearch.execute(SingleBaseSearch.java:104)
        ... 32 more
[12:11:13] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Responding to request with error:
        explanatory text:      Client not found in Kerberos database
        error code:            6
        clientPrincipal:       null
        client time:           20080115111113Z
        serverPrincipal:       krbtgt/EXAMPLE.COM@EXAMPLE.COM
        server time:           null

[/log]

This is something that I wouldn't expect here; I did a new ApacheDS
installation and this entry doesn't exist in my LDIF that I am
importing. Is this log entry caused by the kerberos client?

My Keytab shows following entries:

[console]

ktutil:  rkt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ----
---------------------------------------------------------------------
   1    1          ldap/ldap.nviasms.eu@NVIASMS.EU

[/console]

Is there some sort of cache that I am not aware of?

Thanks for your help.

Cheers,

Aleks

Emmanuel Lecharny wrote:
> Aleksandar Vidakovic wrote:
>> I am pretty sure that my LDAP configuration is OK. What I don't
>> understand is the content of the log file (see below). Obviously
>> something tries to search users under "ou=users,dc=example,dc=com" and I
>> am not sure if this is a mistake caused by the client or a wrong
>> ApacheDS configuration (my basedn is "dc=nviasms,dc=eu").
>>   
> Change this line in the server.xml file :
> 
> <property name="searchBaseDn" value="ou=users,ou=system" />
> 
> to :
> 
> <property name="searchBaseDn" value="dc=nviasms,dc=eu" />
> 
> assuming you have created a partion with this name to store the users.
> 
> (The searchBaseDn contains the place where the server will look for users)


Mime
View raw message