directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: Kerberos in ApacheDS2.0.0-M9
Date Mon, 21 Jan 2013 07:51:25 GMT
you need to change two things in the config entry
ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
:

 1. change the value of ads-searchbasedn to ou=users,dc=example,dc=com in
the entry
 2. change the value of ads-saslprincipal to ldap/localhost@EXAMPLE.COM

additionally check the values of ads-krbencryptiontypes in the config entry
ads-serverId=kerberosServer,ou=servers,ads-directoryServiceId=default,ou=config

restart the server and try again
HTH
On Sat, Jan 19, 2013 at 3:31 AM, Stephen Stroiazzo <
sstroiazzo@aimrecyclinggroup.com> wrote:

> Would it be possible to throw together a quick page on properly configuring
> Kerberos in the 2.0.0-M9 version of ApacheDS? Currently the default
> settings for the LDAP and Kerberos servers are properly laid out in the
> configuration pages, however the specific user accounts that they relate to
> 'krbtgt/EXAMPLE.COM@EXAMPLE.COM' and 'ldap/ldap.example.com@EXAMPLE.COM'
> no
> longer appear.
>
> If an updated .ldif could be attached somewhere in the new documentation
> and include the default accounts and settings necessary to allow Kerberos
> authentication through Apache Directory Studio - that would make things
> much easier for new users such as myself.
>
> I have not been having success while trying to alter the older 1.5 versions
> of user accounts included in kdc-data.ldif and typically end up at a
> "server not found in kerberos database (7)" error. This has come up on both
> windows servers as well as ubuntu servers with modified host and krb5.conf
> files. Additionally I have also been making sure to enable the
> 'keyDerivationInterceptor' as well as the kerberos server itself and
> deleting/reimporting the user .ldif file to recreate the krb5 keys when
> necessary - although these steps are no longer included with the new 2.0.0
> documentation.
>
> Below is the .ldif for dc=example,dc=com that I have been basing most of my
> testing from, I've tried many small variations with the ldap and krbtgt
> principal names however have been unable to find one which works properly.
> In addition I have included a larger dump of the error message (as seen
> from my windows server, although the ubuntu one appears identical) below
> that - just in case.
>
> Thanks,
> Stephen
>
> dn: dc=example,dc=com
> objectClass: dcObject
> objectClass: organization
> objectClass: top
> dc: example
> o: example.com
>
> dn: ou=users,dc=example,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: users
>
> dn: uid=hnelson,ou=users,dc=example,dc=com
> objectClass: top
> objectClass: person
> objectClass: inetOrgPerson
> objectClass: krb5principal
> objectClass: krb5kdcentry
> cn: Horatio Nelson
> sn: Nelson
> uid: hnelson
> userPassword: secret
> krb5PrincipalName: hnelson@EXAMPLE.COM
> krb5KeyVersionNumber: 0
>
> dn: uid=krbtgt,ou=users,dc=example,dc=com
> objectClass: top
> objectClass: person
> objectClass: inetOrgPerson
> objectClass: krb5principal
> objectClass: krb5kdcentry
> cn: KDC Service
> sn: Service
> uid: krbtgt
> userPassword: secret
> krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
> krb5KeyVersionNumber: 0
>
> dn: uid=ldap,ou=users,dc=example,dc=com
> objectClass: top
> objectClass: person
> objectClass: inetOrgPerson
> objectClass: krb5principal
> objectClass: krb5kdcentry
> cn: LDAP
> sn: Service
> uid: ldap
> userPassword: secret
> krb5PrincipalName: ldap/localhost@EXAMPLE.COM
> krb5KeyVersionNumber: 0
>
> ==========================================================
>
> Error while opening connection
>  - java.security.PrivilegedActionException:
> org.apache.directory.api.ldap.model.exception.LdapException:
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Server not
> found in Kerberos database (7) - Server not found in Kerberos database)]
> org.apache.directory.api.ldap.model.exception.LdapException:
> java.security.PrivilegedActionException:
> org.apache.directory.api.ldap.model.exception.LdapException:
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Server not
> found in Kerberos database (7) - Server not found in Kerberos database)]
>     at
>
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1469)
>     at
>
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1361)
>     at
>
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:446)
>     at
>
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1174)
>     at
>
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:459)
>     at
>
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:307)
>     at
>
> org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114)
>     at
>
> org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109)
>     at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)
> Caused by: java.security.PrivilegedActionException:
> org.apache.directory.api.ldap.model.exception.LdapException:
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Server not
> found in Kerberos database (7) - Server not found in Kerberos database)]
>     at java.security.AccessController.doPrivileged(Native Method)
>     at javax.security.auth.Subject.doAs(Unknown Source)
>     at
>
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1459)
>     ... 8 more
> Caused by: org.apache.directory.api.ldap.model.exception.LdapException:
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Server not
> found in Kerberos database (7) - Server not found in Kerberos database)]
>     at
>
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3783)
>     at
>
> org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:176)
>     at
>
> org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1463)
>     ... 11 more
> Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused
> by GSSException: No valid credentials provided (Mechanism level: Server not
> found in Kerberos database (7) - Server not found in Kerberos database)]
>     at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown
> Source)
>     at
>
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3693)
>     ... 13 more
> Caused by: GSSException: No valid credentials provided (Mechanism level:
> Server not found in Kerberos database (7) - Server not found in Kerberos
> database)
>     at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
>     at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
>     at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
>     ... 15 more
> Caused by: KrbException: Server not found in Kerberos database (7) - Server
> not found in Kerberos database
>     at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
>     at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
>     at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)
>     at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown
> Source)
>     at
> sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown
> Source)
>     at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
>     ... 18 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
>     at sun.security.krb5.internal.KDCRep.init(Unknown Source)
>     at sun.security.krb5.internal.TGSRep.init(Unknown Source)
>     at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
>     ... 24 more
>
> java.security.PrivilegedActionException:
> org.apache.directory.api.ldap.model.exception.LdapException:
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Server not
> found in Kerberos database (7) - Server not found in Kerberos database)]
>
>
>
>
> *Stephen Stroiazzo | Special Project Assistant | Information Technology |
> AIM
> Holding LP
> *
>



-- 
Kiran Ayyagari
http://keydap.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message