directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aleksandar Vidakovic <>
Subject Re: Kerberos configuration with wrong user DN...
Date Tue, 15 Jan 2008 11:26:12 GMT
Salut Emmanuel,

sorry to bother you again... but the change didn't help. There are two
things that I don't understand in the log files...

First I see this:


[12:11:13] DEBUG
[] - Received
Authentication Service (AS) request:
        messageType:           initial authentication request (10)
        protocolVersionNumber: 5
        nonce:                 1200395473
        kdcOptions:            RENEWABLE_OK
        clientPrincipal:       ldap/
        serverPrincipal:       krbtgt/NVIASMS.EU@NVIASMS.EU
        encryptionType:        aes256-cts-hmac-sha1-96 (18),
aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), rc4-hmac (23),
des-cbc-crc (1), des-cbc-md5 (3), des-cbc-md4 (2)
        realm:                 NVIASMS.EU
        from time:             20080115111113Z
        till time:             20080116111113Z
        renew-till time:       null
        hostAddresses:         null
[12:11:13] DEBUG
[] -
Session will use encryption type des-cbc-md5 (3).
[12:11:13] DEBUG
[] - Bind
operation. bindDn: uid=admin,ou=system
[12:11:13] DEBUG
[] - bind:
principal: null
[12:11:13] DEBUG
[] -
Authenticating 0.9.2342.19200300.100.1.1=admin,
[12:11:13] DEBUG
[] -
0.9.2342.19200300.100.1.1=admin, Authenticated
[12:11:13] DEBUG
[] - Testing
if entry name = 'ou=users,dc=example,dc=com' exists
[12:11:13] DEBUG
[] -
Check if DN
[12:11:13] WARN
- Client not found in Kerberos database (6)
Client not found in Kerberos database



As I understand it this means that the client is sending the right
information and something is badly configured on the ApacheDS side. Right?

And then a little bit further I see this:


        ... 32 more
[12:11:13] DEBUG
- Responding to request with error:
        explanatory text:      Client not found in Kerberos database
        error code:            6
        clientPrincipal:       null
        client time:           20080115111113Z
        serverPrincipal:       krbtgt/EXAMPLE.COM@EXAMPLE.COM
        server time:           null


This is something that I wouldn't expect here; I did a new ApacheDS
installation and this entry doesn't exist in my LDIF that I am
importing. Is this log entry caused by the kerberos client?

My Keytab shows following entries:


ktutil:  rkt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ----
   1    1          ldap/


Is there some sort of cache that I am not aware of?

Thanks for your help.



Emmanuel Lecharny wrote:
> Aleksandar Vidakovic wrote:
>> I am pretty sure that my LDAP configuration is OK. What I don't
>> understand is the content of the log file (see below). Obviously
>> something tries to search users under "ou=users,dc=example,dc=com" and I
>> am not sure if this is a mistake caused by the client or a wrong
>> ApacheDS configuration (my basedn is "dc=nviasms,dc=eu").
> Change this line in the server.xml file :
> <property name="searchBaseDn" value="ou=users,ou=system" />
> to :
> <property name="searchBaseDn" value="dc=nviasms,dc=eu" />
> assuming you have created a partion with this name to store the users.
> (The searchBaseDn contains the place where the server will look for users)

View raw message