directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "バーチャル クリストファー" <birch...@infoscience.co.jp>
Subject Re: ApacheDS + GSSAPI/Kerberos problem "Failed to find any Kerberos Key"
Date Tue, 14 Jun 2011 08:16:58 GMT
Amila,

Thanks for the help. However, my passwords are actually stored in plain
text, so I don't think this is the problem.

I used Apache Directory Studio to create the ldif file, and it appears
to automatically hash the passwords when you export as LDIF.

Thanks,

Chris.


On 2011/06/10 18:33, Amila Jayasekara wrote:
> Hi Chris,
>
> According to your ldif file you are using hashed passwords.
> >From my experience  ApacheDS Kerberos implementation only works with plain
> text passwords. But i am not aware about latest improvements. So i may be
> wrong.
>
> Thanks
> AmilaJ
>
> 2011/6/2 バーチャル クリストファー <birchall@infoscience.co.jp>
>
>> Hello,
>>
>> I'm trying to set up ApacheDS 1.5.7 on Linux with Kerberos authentication.
>>
>> I basically followed this tutorial to the letter:
>>
>> http://directory.apache.org/apacheds/1.5/543-kerberos-in-apacheds-155.html
>>
>> However, I am using a custom realm and hostname, instead of the
>> localhost and EXAMPLE.COM used in the tutorial.
>> (Incidentally, I had to add "primaryRealm" and "kdcPrincipal" attributes
>> to the kdcServer attribute in server.xml to get my custom realm to work
>> correctly.)
>>
>> I have 3 users: kerbuser, krbtgt and ldap. See attached LDIF file for
>> details.
>> All users have their krb5Key automatically generated by the
>> KeyDerivationInterceptor.
>>
>> Authenticating with kinit works fine for all 3 users:
>>
>> kinit kerbuser
>> kinit krbtgt/INFOSCIENCE.CO.JP
>> kinit ldap/logst20.dev.infoscience.co.jp
>>
>> all work as expected, run either locally or remotely.
>>
>> However, when I try to login to ApacheDS using Directory Studio, I get
>> "javax.naming.CommunicationException: Request: 1 cancelled".
>> Looking at the Kerberos log server-side (see attached file), I find the
>> message "Failed to find any Kerberos Key". It looks like it cannot find
>> the Kerberos key for the "ldap" user. This is strange, because this user
>> has its krb5Key attribute set correctly, just like the other users. Do I
>> need to copy this key to somewhere else, e.g. a keytab file?
>>
>> I've spent days battling with this problem and I'm out of ideas. Can
>> anybody shed some light on this?
>>
>> Thanks,
>>
>> Chris Birchall.
>>
>>



Mime
View raw message