directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Seelmann <>
Subject Re: ApacheDS and kerberos problems
Date Mon, 28 Jun 2010 15:18:02 GMT
> i tried to authenticate the same user using apache directory Studio i
> got GSSAPI erros:
> L'authentification a échouée (authentication failed in english)
>  javax.naming.AuthenticationException: GSSAPI [Root exception is
> GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Server not
> found in Kerberos database (7) - Server not found in Kerberos
> database)]]
> my connection settings are:
> for the first screen:
>   as i work on distant workstation:
>    i put in the network parameters:
>    hostname (ip address of my Apache DS)
>    port 10389

Seems there is a problem to locate the service principal for the LDAP service.

Kerberos is very accurate regarding host names, if possible use the
FQDN instead of the IP address. Also make sure that the clock on your
machines is in sync.

Please check:
- the LDAP server principal (uid=ldap,ou=Users,dc=example,dc=com) must
not contain "localhost" but your FQDN (or IP address)
- same for attributes saslHost and saslPrincipal in server.xml

Also check the ApacheDS logs (with enabled debug log level as
described in the docu) which service principals are used in lookups.

> so i tried also to run this command on the server : ldapsearch -b
> "dc=example,dc=com" "(uid=hnelson)" -Y GSSAPI
> i got this output:
>                  # ldapsearch -b "dc=example,dc=com" "(uid=hnelson)" -Y
>                    ldap_sasl_interactive_bind_s: Unknown authentication
> method (-6)

Same as above, check the logs and make sure the service principals use
the right host names.

An additional note: when using ldapsearch you need to set SSF to 0
  ldapsearch ... -Y GSSAPI -O "maxssf=0"

This seems to be a bug in ApacheDS...


View raw message