directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lotfi KECIR <lotfi.ke...@ipcine.com>
Subject Re: ApacheDS and kerberos problems
Date Wed, 30 Jun 2010 07:25:05 GMT

Hi everybody.
i was able to be authenticated to kerberos.
my problem was not on the config but on my client machine.

there is some packages missied. so i deleted all packages related to krb5.
and i installed these three ones: krb5-user heimdal-kcm heimdal-kdc 
kinit hnelson@EXAMPLE.COM worked on my Client machine.


my question now, is how to authenitcate users by their  login/password when their machine
started up.

i'm really newbee in kerberos and apacheds (3 weeks).

behind this i would like to serve some filesystem using samba. is there a way to configure
apacheds in order to do such stuff?

------
client| user tapes his login/pwd                                                 export filesystem
login |-------------------------------|Apache DS        |-----------------------|Samba / NFS|
------                                Ckeck the user in LDAP directory

                                       Tells samba server what to serve to the user

Hope that i'm clear.

Thank you guys.


----- Mail original -----
De: "Stefan Seelmann" <seelmann@apache.org>
À: users@directory.apache.org
Envoyé: Lundi 28 Juin 2010 17:18:02
Objet: Re: ApacheDS and kerberos problems

> i tried to authenticate the same user using apache directory Studio i
> got GSSAPI erros:
>
> L'authentification a échouée (authentication failed in english)
>  - GSSAPI
>  javax.naming.AuthenticationException: GSSAPI [Root exception is
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Server
> not found in Kerberos database (7) - Server not found in Kerberos
> database)]]
...
> my connection settings are:
> for the first screen:
>   as i work on distant workstation:
>    i put in the network parameters:
>    hostname 10.0.10.22 (ip address of my Apache DS)
>    port 10389

Seems there is a problem to locate the service principal for the LDAP
service.

Kerberos is very accurate regarding host names, if possible use the
FQDN instead of the IP address. Also make sure that the clock on your
machines is in sync.

Please check:
- the LDAP server principal (uid=ldap,ou=Users,dc=example,dc=com) must
not contain "localhost" but your FQDN (or IP address)
- same for attributes saslHost and saslPrincipal in server.xml

Also check the ApacheDS logs (with enabled debug log level as
described in the docu) which service principals are used in lookups.

> so i tried also to run this command on the server : ldapsearch -b
> "dc=example,dc=com" "(uid=hnelson)" -Y GSSAPI
> i got this output:
>                  # ldapsearch -b "dc=example,dc=com" "(uid=hnelson)"
>                  -Y
> GSSAPI
>                    ldap_sasl_interactive_bind_s: Unknown
>                    authentication
> method (-6)

Same as above, check the logs and make sure the service principals use
the right host names.

An additional note: when using ldapsearch you need to set SSF to 0
ldapsearch ... -Y GSSAPI -O "maxssf=0"

This seems to be a bug in ApacheDS...

HTH,
Stefan

Mime
View raw message