Return-Path: Delivered-To: apmail-directory-users-archive@www.apache.org Received: (qmail 17984 invoked from network); 28 Jun 2010 15:19:32 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 28 Jun 2010 15:19:32 -0000 Received: (qmail 66922 invoked by uid 500); 28 Jun 2010 15:19:32 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 66861 invoked by uid 500); 28 Jun 2010 15:19:31 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 66853 invoked by uid 99); 28 Jun 2010 15:19:31 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 28 Jun 2010 15:19:31 +0000 X-ASF-Spam-Status: No, hits=0.7 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [209.85.214.178] (HELO mail-iw0-f178.google.com) (209.85.214.178) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 28 Jun 2010 15:19:24 +0000 Received: by iwn41 with SMTP id 41so481958iwn.37 for ; Mon, 28 Jun 2010 08:18:02 -0700 (PDT) MIME-Version: 1.0 Received: by 10.42.0.68 with SMTP id 4mr1687850icb.94.1277738282675; Mon, 28 Jun 2010 08:18:02 -0700 (PDT) Sender: mail@stefan-seelmann.de Received: by 10.231.153.68 with HTTP; Mon, 28 Jun 2010 08:18:02 -0700 (PDT) In-Reply-To: <1277457723.30779.54.camel@navig> References: <1277299978.2723.6.camel@navig> <4C2250FE.2080106@apache.org> <1277367278.2723.18.camel@navig> <1277399778.2723.509.camel@navig> <1277455029.30779.39.camel@navig> <1277457723.30779.54.camel@navig> Date: Mon, 28 Jun 2010 17:18:02 +0200 X-Google-Sender-Auth: pRlDa-1mhVLhpR1kD_LDy46o9Q4 Message-ID: Subject: Re: ApacheDS and kerberos problems From: Stefan Seelmann To: users@directory.apache.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org > i tried to authenticate the same user using apache directory Studio i > got GSSAPI erros: > > L'authentification a =C3=A9chou=C3=A9e (authentication failed in english) > =C2=A0- GSSAPI > =C2=A0javax.naming.AuthenticationException: GSSAPI [Root exception is > javax.security.sasl.SaslException: GSS initiate failed [Caused by > GSSException: No valid credentials provided (Mechanism level: Server not > found in Kerberos database (7) - Server not found in Kerberos > database)]] ... > my connection settings are: > for the first screen: > =C2=A0 as i work on distant workstation: > =C2=A0 =C2=A0i put in the network parameters: > =C2=A0 =C2=A0hostname 10.0.10.22 (ip address of my Apache DS) > =C2=A0 =C2=A0port 10389 Seems there is a problem to locate the service principal for the LDAP servi= ce. Kerberos is very accurate regarding host names, if possible use the FQDN instead of the IP address. Also make sure that the clock on your machines is in sync. Please check: - the LDAP server principal (uid=3Dldap,ou=3DUsers,dc=3Dexample,dc=3Dcom) m= ust not contain "localhost" but your FQDN (or IP address) - same for attributes saslHost and saslPrincipal in server.xml Also check the ApacheDS logs (with enabled debug log level as described in the docu) which service principals are used in lookups. > so i tried also to run this command on the server : ldapsearch -b > "dc=3Dexample,dc=3Dcom" "(uid=3Dhnelson)" -Y GSSAPI > i got this output: > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0# ldapsearc= h -b "dc=3Dexample,dc=3Dcom" "(uid=3Dhnelson)" -Y > GSSAPI > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ldap= _sasl_interactive_bind_s: Unknown authentication > method (-6) Same as above, check the logs and make sure the service principals use the right host names. An additional note: when using ldapsearch you need to set SSF to 0 ldapsearch ... -Y GSSAPI -O "maxssf=3D0" This seems to be a bug in ApacheDS... HTH, Stefan