You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Stefan Seelmann <se...@apache.org> on 2010/02/02 21:44:28 UTC
Re: Configuring Apache Directory studio with kerberos
Amila Suriarachchi wrote:
> I tried to do the authentication with the following values. (after
> following the given tutorial )
>
> Bind DN or user : hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>
> Bind Password : secret
>
> At kerborose settings
>
> set : Obtain TGT from KDC
> set : Use Native System Configuration
That's ok.
> Then tried to Authenticate and got the following exception at client side
>
> The authentication failed
> - Request: 1 cancelled
> javax.naming.CommunicationException: Request: 1 cancelled
snip
> And following at server side.
>
> [18:41:16] WARN
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
> - Additional pre-authentication required (25)
> [18:41:16] WARN
> [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils]
> - No server entry found for kerberos principal name
> ldap/localhost@EXAMPLE.COM
Sorry, there was a small bug in the server.xml. Please set the
searchBaseDn of ldapServer:
<ldapServer ...
saslHost="localhost"
saslPrincipal="ldap/localhost@EXAMPLE.COM"
searchBaseDn="ou=users,dc=example,dc=com"
...>
Kind Regards,
Stefan
Re: Configuring Apache Directory studio with kerberos
Posted by Amila Suriarachchi <am...@gmail.com>.
On Sun, Feb 7, 2010 at 6:59 PM, Stefan Seelmann <se...@apache.org> wrote:
> Amila Suriarachchi wrote:
>
>> All these samples uses EXAMPLE.COM <http://EXAMPLE.COM> as the domain. on
>> the dc=example,dc=com partition.
>>
>>
>> Can I configure more the one domain in one kerborse server?
>>
>
> AFAIK this isn't possible yet. But you can use WS02.COM as the domain
> (realm).
>
>
> I tried to add a different partition and same set of user by editing the
>> lidf file. please see the attachments.
>>
>> but get this exception when try to log with hnelson@WSO2.COM
>>
>
> In your server.xml the searchBaseDN attribute in <kdcServer> is missing.
> And for <ldapServer> set the right values for saslHost, saslPrincipal and
> searchBaseDn.
>
thanks Stefan, I got following exceptions when I try to rename the domain.
Actually if I use sample code i.e using EXAMPLE.COM domain then even without
specifying the searchBaseDn either in kdcServer or ldapServer it works
fine. But if I move the user entries to ou=users,ou=system folder (by
changing the ldif file) then it does not work.
I rename EXAMPLE.COM to WSO2.COM (please see the attached files). Then when
I tried to login as hnelson@WSO2 it gives following log out put.
[10:56:08] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] -
Unexpected exception forcing session to close: sending disconnect notice to
client.
java.lang.NullPointerException
at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:129)
at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
at
org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:232)
at
org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:194)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:721)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:433)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:801)
at
org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:71)
at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
at
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:480)
at
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:434)
at java.lang.Thread.run(Thread.java:619)
[10:56:08] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] -
Null LdapSession given to cleanUpSession.
[10:56:49] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] -
Unexpected exception forcing session to close: sending disconnect notice to
client.
java.lang.NullPointerException
at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:129)
at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
at
org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:232)
at
org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:194)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:721)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:433)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:801)
at
org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:71)
at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
at
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:480)
at
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:434)
at java.lang.Thread.run(Thread.java:619)
[10:56:49] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] -
Null LdapSession given to cleanUpSession.
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /
127.0.0.1:53911 CREATED: datagram
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /
127.0.0.1:53911 OPENED
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /
127.0.0.1:53911 RCVD:
org.apache.directory.server.kerberos.shared.messages.KdcRequest@79429cb2
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Received Authentication Service (AS) request:
messageType: AS_REQ
protocolVersionNumber: 5
clientAddress: 127.0.0.1
nonce: 1265606836
kdcOptions:
clientPrincipal: hnelson@WSO2.COM
serverPrincipal: krbtgt/WSO2.COM@WSO2.COM
encryptionType: des3-cbc-sha1-kd (16), des-cbc-md5 (3),
des-cbc-crc (1), aes256-cts-hmac-sha1-96 (18), aes128-cts-hmac-sha1-96 (17),
rc4-hmac (23)
realm: WSO2.COM
from time: null
till time: 19700101000000Z
renew-till time: null
hostAddresses: null
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Session will use encryption type des-cbc-md5 (3).
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] -
Found entry ServerEntry
dn[n]: uid=hnelson,ou=Users,dc=wso2,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: krb5Principal
objectClass: inetOrgPerson
objectClass: krb5KDCEntry
objectClass: top
uid: hnelson
cn: Horatio Nelson
sn: Nelson
userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 '
krb5KeyVersionNumber: 0
krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0x64
0xE9 0x2C 0x3B 0xCD ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0x05
0x83 0x07 0xC8 0x4B ...'
krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20 0x83
0x68 0x81 0xC3 0x62 ...'
krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0x8C
0x52 0x4A 0x23 0xCE ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x87
0x8D 0x80 0x14 0x60 ...'
krb5PrincipalName: hnelson@WSO2.COM
for kerberos principal name hnelson@WSO2.COM
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Verifying using SAM subsystem.
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Verifying using encrypted timestamp.
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Entry for client principal hnelson@WSO2.COM has no SAM type. Proceeding
with standard pre-authentication.
[10:57:16] WARN
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
Additional pre-authentication required (25)
org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
Additional pre-authentication required
at
org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.verifyEncryptedTimestamp(AuthenticationService.java:268)
at
org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.execute(AuthenticationService.java:106)
at
org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:145)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:721)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:433)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:801)
at
org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:375)
at
org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:229)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:433)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:801)
at
org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:433)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:425)
at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.readHandle(AbstractPollingConnectionlessIoAcceptor.java:436)
at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.processReadySessions(AbstractPollingConnectionlessIoAcceptor.java:407)
at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.access$600(AbstractPollingConnectionlessIoAcceptor.java:56)
at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor$Acceptor.run(AbstractPollingConnectionlessIoAcceptor.java:360)
at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:619)
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
Responding to request with error:
explanatory text: Additional pre-authentication required
error code: 25
clientPrincipal: null
client time: null
serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
server time: 20100208052716Z
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /
127.0.0.1:53911 SENT:
org.apache.directory.server.kerberos.shared.messages.ErrorMessage@59c958af
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /
127.0.0.1:34535 CREATED: datagram
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /
127.0.0.1:34535 OPENED
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /
127.0.0.1:34535 RCVD:
org.apache.directory.server.kerberos.shared.messages.KdcRequest@42bd93cd
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Received Authentication Service (AS) request:
messageType: AS_REQ
protocolVersionNumber: 5
clientAddress: 127.0.0.1
nonce: 1265606837
kdcOptions:
clientPrincipal: hnelson@WSO2.COM
serverPrincipal: krbtgt/WSO2.COM@WSO2.COM
encryptionType: des-cbc-md5 (3)
realm: WSO2.COM
from time: null
till time: 19700101000000Z
renew-till time: null
hostAddresses: null
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Session will use encryption type des-cbc-md5 (3).
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] -
Found entry ServerEntry
dn[n]: uid=hnelson,ou=Users,dc=wso2,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: krb5Principal
objectClass: inetOrgPerson
objectClass: krb5KDCEntry
objectClass: top
uid: hnelson
cn: Horatio Nelson
sn: Nelson
userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 '
krb5KeyVersionNumber: 0
krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0x64
0xE9 0x2C 0x3B 0xCD ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0x05
0x83 0x07 0xC8 0x4B ...'
krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20 0x83
0x68 0x81 0xC3 0x62 ...'
krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0x8C
0x52 0x4A 0x23 0xCE ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x87
0x8D 0x80 0x14 0x60 ...'
krb5PrincipalName: hnelson@WSO2.COM
for kerberos principal name hnelson@WSO2.COM
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Verifying using SAM subsystem.
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Verifying using encrypted timestamp.
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Entry for client principal hnelson@WSO2.COM has no SAM type. Proceeding
with standard pre-authentication.
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Pre-authentication by encrypted timestamp successful for hnelson@WSO2.COM.
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] -
Found entry ServerEntry
dn[n]: uid=krbtgt,ou=Users,dc=wso2,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: krb5Principal
objectClass: inetOrgPerson
objectClass: krb5KDCEntry
objectClass: top
uid: krbtgt
cn: KDC Service
sn: Service
userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 '
krb5KeyVersionNumber: 0
krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0x5E
0x3D 0x94 0x40 0xF2 ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0xF3
0x35 0xE9 0x1E 0x37 ...'
krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20 0xD0
0x01 0xFE 0x00 0xFB ...'
krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0xBF
0x1C 0x92 0x7A 0xDA ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x87
0x8D 0x80 0x14 0x60 ...'
krb5PrincipalName: krbtgt/WSO2.COM@WSO2.COM
for kerberos principal name krbtgt/WSO2.COM@WSO2.COM
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Ticket will be issued for access to krbtgt/WSO2.COM@WSO2.COM.
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Monitoring Authentication Service (AS) context:
clockSkew 300000
clientAddress /127.0.0.1
principal hnelson@WSO2.COM
cn null
realm null
principal hnelson@WSO2.COM
SAM type null
principal krbtgt/WSO2.COM@WSO2.COM
cn null
realm null
principal krbtgt/WSO2.COM@WSO2.COM
SAM type null
Request key type des-cbc-md5 (3)
Client key version 0
Server key version 0
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Responding with Authentication Service (AS) reply:
messageType: AS_REP
protocolVersionNumber: 5
nonce: 1265606837
clientPrincipal: hnelson@WSO2.COM
client realm: WSO2.COM
serverPrincipal: krbtgt/WSO2.COM@WSO2.COM
server realm: WSO2.COM
auth time: 20100208052716Z
start time: null
end time: 20100209052716Z
renew-till time: null
hostAddresses: null
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /
127.0.0.1:34535 SENT:
org.apache.directory.server.kerberos.shared.messages.AuthenticationReply@7f9480b8
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /
127.0.0.1:50621 CREATED: datagram
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /
127.0.0.1:50621 OPENED
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /
127.0.0.1:50621 RCVD:
org.apache.directory.server.kerberos.shared.messages.KdcRequest@6e8ef177
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService]
- Received Ticket-Granting Service (TGS) request:
messageType: TGS_REQ
protocolVersionNumber: 5
clientAddress: 127.0.0.1
nonce: 1265606838
kdcOptions:
clientPrincipal: null
serverPrincipal: ldap/localhost@WSO2.COM
encryptionType: des3-cbc-sha1-kd (16), des-cbc-md5 (3),
des-cbc-crc (1), aes256-cts-hmac-sha1-96 (18), aes128-cts-hmac-sha1-96 (17),
rc4-hmac (23)
realm: WSO2.COM
from time: null
till time: 19700101000000Z
renew-till time: null
hostAddresses: null
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService]
- Session will use encryption type des-cbc-md5 (3).
[10:57:16] WARN
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
The ticket isn't for us (35)
org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
The ticket isn't for us
at
org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService.verifyTgt(TicketGrantingService.java:232)
at
org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService.execute(TicketGrantingService.java:99)
at
org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:158)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:721)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:433)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:801)
at
org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:375)
at
org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:229)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:433)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:801)
at
org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:433)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:425)
at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.readHandle(AbstractPollingConnectionlessIoAcceptor.java:436)
at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.processReadySessions(AbstractPollingConnectionlessIoAcceptor.java:407)
at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.access$600(AbstractPollingConnectionlessIoAcceptor.java:56)
at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor$Acceptor.run(AbstractPollingConnectionlessIoAcceptor.java:360)
at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:619)
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
Responding to request with error:
explanatory text: The ticket isn't for us
error code: 35
clientPrincipal: null
client time: null
serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
server time: 20100208052716Z
[10:57:16] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /
127.0.0.1:50621 SENT:
org.apache.directory.server.kerberos.shared.messages.ErrorMessage@63a6b16f
1. [10:57:16] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Entry for client principal hnelson@WSO2.COM has no SAM type. Proceeding
with standard pre-authentication.
what is SAM type?
2. [10:57:16] WARN
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
The ticket isn't for us (35)
org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
The ticket isn't for us
It seems that server try to check it with the krbtgt/EXAMPLE.COM@EXAMPLE.COM.
I am not sure how it came from?
3. How ApacheDS search for the client and server principles?
thanks,
Amila.
> Kind Regards,
> Stefan
>
>
--
Amila Suriarachchi
WSO2 Inc.
blog: http://amilachinthaka.blogspot.com/
Re: Configuring Apache Directory studio with kerberos
Posted by Stefan Seelmann <se...@apache.org>.
Amila Suriarachchi wrote:
> All these samples uses EXAMPLE.COM <http://EXAMPLE.COM> as the domain.
> on the dc=example,dc=com partition.
>
> Can I configure more the one domain in one kerborse server?
AFAIK this isn't possible yet. But you can use WS02.COM as the domain
(realm).
> I tried to add a different partition and same set of user by editing the
> lidf file. please see the attachments.
>
> but get this exception when try to log with hnelson@WSO2.COM
In your server.xml the searchBaseDN attribute in <kdcServer> is missing.
And for <ldapServer> set the right values for saslHost, saslPrincipal
and searchBaseDn.
Kind Regards,
Stefan
Re: Configuring Apache Directory studio with kerberos
Posted by Amila Suriarachchi <am...@gmail.com>.
On Sat, Feb 6, 2010 at 2:29 PM, Stefan Seelmann <se...@apache.org> wrote:
> Amila Suriarachchi schrieb:
>
> that works. Thansks.
>>
>> How can I start the KDCServer programatically? I start ldap server as
>> follows,
>>
>
> Sure you can, see the following test case [1].
>
thanks it worked.
All these samples uses EXAMPLE.COM as the domain. on the dc=example,dc=com
partition.
Can I configure more the one domain in one kerborse server?
I tried to add a different partition and same set of user by editing the
lidf file. please see the attachments.
but get this exception when try to log with hnelson@WSO2.COM.
[14:49:47] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /
127.0.0.1:51219 CREATED: datagram
[14:49:47] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /
127.0.0.1:51219 OPENED
[14:49:47] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /
127.0.0.1:51219 RCVD:
org.apache.directory.server.kerberos.shared.messages.KdcRequest@2f49f041
[14:49:47] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Received Authentication Service (AS) request:
messageType: AS_REQ
protocolVersionNumber: 5
clientAddress: 127.0.0.1
nonce: 1265534387
kdcOptions:
clientPrincipal: hnelson@WSO2.COM
serverPrincipal: krbtgt/WSO2.COM@WSO2.COM
encryptionType: des-cbc-md5 (3), aes256-cts-hmac-sha1-96 (18),
des3-cbc-sha1-kd (16), des-cbc-crc (1), aes128-cts-hmac-sha1-96 (17),
rc4-hmac (23)
realm: WSO2.COM
from time: null
till time: 19700101000000Z
renew-till time: null
hostAddresses: null
[14:49:47] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Session will use encryption type des-cbc-md5 (3).
[14:49:47] WARN
[org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] -
No server entry found for kerberos principal name hnelson@WSO2.COM
[14:49:47] WARN
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
Client not found in Kerberos database (6)
org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
Client not found in Kerberos database
at
org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.getEntry(AuthenticationService.java:747)
at
org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.getClientEntry(AuthenticationService.java:152)
at
org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.execute(AuthenticationService.java:103)
at
org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:145)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:721)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:433)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:801)
at
org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:375)
at
org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:229)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:433)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:801)
at
org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:433)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:425)
at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.readHandle(AbstractPollingConnectionlessIoAcceptor.java:436)
at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.processReadySessions(AbstractPollingConnectionlessIoAcceptor.java:407)
at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.access$600(AbstractPollingConnectionlessIoAcceptor.java:56)
at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor$Acceptor.run(AbstractPollingConnectionlessIoAcceptor.java:360)
at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.lang.NullPointerException
at
org.apache.directory.server.kerberos.shared.store.operations.GetPrincipal.getEntry(GetPrincipal.java:97)
at
org.apache.directory.server.kerberos.shared.store.operations.GetPrincipal.execute(GetPrincipal.java:81)
at
org.apache.directory.server.kerberos.shared.store.SingleBaseSearch.getPrincipal(SingleBaseSearch.java:63)
at
org.apache.directory.server.kerberos.shared.store.DirectoryPrincipalStore.getPrincipal(DirectoryPrincipalStore.java:71)
at
org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.getEntry(AuthenticationService.java:743)
... 23 more
[14:49:47] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
Responding to request with error:
explanatory text: Client not found in Kerberos database
error code: 6
clientPrincipal: null
client time: null
serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
server time: 20100207091947Z
[14:49:47] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /
127.0.0.1:51219 SENT:
org.apache.directory.server.kerberos.shared.messages.ErrorMessage@67de0c09
[14:50:47] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /
127.0.0.1:51219 CLOSED
thanks,
Amila.
>
> Kind Regards,
> Stefan
>
>
>
> [1]
> http://svn.apache.org/repos/asf/directory/apacheds/tags/1.5.5/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/kdc/SaslGssapiBindITest.java
>
>
>
--
Amila Suriarachchi
WSO2 Inc.
blog: http://amilachinthaka.blogspot.com/
Re: Configuring Apache Directory studio with kerberos
Posted by Stefan Seelmann <se...@apache.org>.
Amila Suriarachchi schrieb:
> that works. Thansks.
>
> How can I start the KDCServer programatically? I start ldap server as
> follows,
Sure you can, see the following test case [1].
Kind Regards,
Stefan
[1]http://svn.apache.org/repos/asf/directory/apacheds/tags/1.5.5/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/kdc/SaslGssapiBindITest.java
Re: Configuring Apache Directory studio with kerberos
Posted by Amila Suriarachchi <am...@gmail.com>.
that works. Thansks.
How can I start the KDCServer programatically? I start ldap server as
follows,
public CarbonLdapServer(String workingDirectory) throws
DirectoryServerException {
this.ldapServer = new LdapServer();
// set server initial properties
this.ldapServer.setAllowAnonymousAccess(false);
this.ldapServer.setSearchBaseDn("ou=system");
this.ldapServer.setMaxTimeLimit(15000);
this.ldapServer.setMaxSizeLimit(1000);
// adding the tcp transport
TcpTransport tcpTransport = new TcpTransport();
tcpTransport.setAddress("localhost");
tcpTransport.setEnableSSL(false);
tcpTransport.setPort(10389);
tcpTransport.setBackLog(50);
tcpTransport.setNbThreads(8);
this.ldapServer.setTransports(tcpTransport);
// add the directory service
DefaultCarbonService defaultCarbonService = new
DefaultCarbonService();
this.ldapServer.setDirectoryService(defaultCarbonService.getDefaultDirectoryService(workingDirectory));
// adding the sasl mechanisum handlers
HashMap mechanisumHandlers = new HashMap();
mechanisumHandlers.put("SIMPLE", new SimpleMechanismHandler());
this.ldapServer.setSaslMechanismHandlers(mechanisumHandlers);
}
public void start() throws DirectoryServerException {
try {
ldapServer.start();
} catch (Exception e) {
throw new DirectoryServerException("Can not start the server ",
e);
}
}
is there a similar way to start the KDC as well?
thanks,
Amila.
On Sat, Feb 6, 2010 at 8:58 AM, Amila Suriarachchi <
amilasuriarachchi@gmail.com> wrote:
>
>
> On Wed, Feb 3, 2010 at 2:14 AM, Stefan Seelmann <se...@apache.org>wrote:
>
>> Amila Suriarachchi wrote:
>>
>>> I tried to do the authentication with the following values. (after
>>> following the given tutorial )
>>>
>>> Bind DN or user : hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>
>>>
>>> Bind Password : secret
>>>
>>> At kerborose settings
>>>
>>> set : Obtain TGT from KDC
>>> set : Use Native System Configuration
>>>
>>
>> That's ok.
>>
>>
>> Then tried to Authenticate and got the following exception at client side
>>>
>>> The authentication failed
>>> - Request: 1 cancelled
>>> javax.naming.CommunicationException: Request: 1 cancelled
>>>
>> snip
>>
>> And following at server side.
>>>
>>> [18:41:16] WARN
>>> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
>>> Additional pre-authentication required (25)
>>> [18:41:16] WARN
>>> [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] -
>>> No server entry found for kerberos principal name ldap/
>>> localhost@EXAMPLE.COM
>>>
>>
>> Sorry, there was a small bug in the server.xml. Please set the
>> searchBaseDn of ldapServer:
>>
>> <ldapServer ...
>> saslHost="localhost"
>> saslPrincipal="ldap/localhost@EXAMPLE.COM"
>> searchBaseDn="ou=users,dc=example,dc=com"
>> ...>
>>
>
> thanks for info.
> I'll have a look with this change.
>
> thanks,
> Amila.
>
>>
>>
>> Kind Regards,
>> Stefan
>>
>>
>>
>>
>
>
> --
> Amila Suriarachchi
> WSO2 Inc.
> blog: http://amilachinthaka.blogspot.com/
>
--
Amila Suriarachchi
WSO2 Inc.
blog: http://amilachinthaka.blogspot.com/
Re: Configuring Apache Directory studio with kerberos
Posted by Amila Suriarachchi <am...@gmail.com>.
On Wed, Feb 3, 2010 at 2:14 AM, Stefan Seelmann <se...@apache.org> wrote:
> Amila Suriarachchi wrote:
>
>> I tried to do the authentication with the following values. (after
>> following the given tutorial )
>>
>> Bind DN or user : hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>
>>
>> Bind Password : secret
>>
>> At kerborose settings
>>
>> set : Obtain TGT from KDC
>> set : Use Native System Configuration
>>
>
> That's ok.
>
>
> Then tried to Authenticate and got the following exception at client side
>>
>> The authentication failed
>> - Request: 1 cancelled
>> javax.naming.CommunicationException: Request: 1 cancelled
>>
> snip
>
> And following at server side.
>>
>> [18:41:16] WARN
>> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
>> Additional pre-authentication required (25)
>> [18:41:16] WARN
>> [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] -
>> No server entry found for kerberos principal name ldap/
>> localhost@EXAMPLE.COM
>>
>
> Sorry, there was a small bug in the server.xml. Please set the searchBaseDn
> of ldapServer:
>
> <ldapServer ...
> saslHost="localhost"
> saslPrincipal="ldap/localhost@EXAMPLE.COM"
> searchBaseDn="ou=users,dc=example,dc=com"
> ...>
>
thanks for info.
I'll have a look with this change.
thanks,
Amila.
>
>
> Kind Regards,
> Stefan
>
>
>
>
--
Amila Suriarachchi
WSO2 Inc.
blog: http://amilachinthaka.blogspot.com/