You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Aleksandar Vidakovic <sp...@gmx.net> on 2008/01/14 21:05:41 UTC
Kerberos configuration with wrong user DN...
Salut all,
I'm trying to configure ApacheDS as a Kerberos server and used the
article under
http://cwiki.apache.org/DIRxINTEROP/kerberos-authentication-to-openldap-using-apacheds.html
as a reference.
I started with the "example.com" example and modified it later to my
needs. When I start ApacheDS with my modifications (only the domain and
user DN changed) no users can be found when I try to connect with:
kinit -k ldap/ldap.nviasms.eu@NVIASMS.EU
I am pretty sure that my LDAP configuration is OK. What I don't
understand is the content of the log file (see below). Obviously
something tries to search users under "ou=users,dc=example,dc=com" and I
am not sure if this is a mistake caused by the client or a wrong
ApacheDS configuration (my basedn is "dc=nviasms,dc=eu").
I already tried to delete ApacheDS's output directory and did a restart,
but I have still the same effect. And I created of course a new kerberos
keytab file after modifying the server.xml configuration, but somehow
the "example.com" configuration still exists.
Is there some sort of cache that I'm not seeing? Does anyone know if
this is caused by a wrong configuration on the server or the client side?
Thanks in advance for your help.
Cheers,
Aleks
[20:38:20] DEBUG
[org.apache.directory.server.kerberos.kdc.MonitorRequest] - Received
Authentication Service (AS) request:
messageType: initial authentication request (10)
protocolVersionNumber: 5
clientAddress: 127.0.1.1
nonce: 1200339500
kdcOptions: RENEWABLE_OK
clientPrincipal: ldap/ldap.nviasms.eu@NVIASMS.EU
serverPrincipal: krbtgt/NVIASMS.EU@NVIASMS.EU
encryptionType: aes256-cts-hmac-sha1-96 (18),
aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), rc4-hmac (23),
des-cbc-crc (1), des-cbc-md5 (3), des-cbc-md4 (2)
realm: NVIASMS.EU
from time: 20080114193820Z
till time: 20080115193820Z
renew-till time: null
hostAddresses: null
[20:38:20] DEBUG
[org.apache.directory.server.kerberos.kdc.SelectEncryptionType] -
Session will use encryption type des-cbc-md5 (3).
[20:38:20] DEBUG
[org.apache.directory.server.core.authn.AuthenticationService] - Bind
operation. bindDn: uid=admin,ou=system
[20:38:20] DEBUG
[org.apache.directory.server.core.authn.AuthenticationService] - bind:
principal: null
[20:38:20] DEBUG
[org.apache.directory.server.core.authn.SimpleAuthenticator] -
Authenticating 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
[20:38:20] DEBUG
[org.apache.directory.server.core.authn.SimpleAuthenticator] -
0.9.2342.19200300.100.1.1=admin,2.5.4.11=system Authenticated
[20:38:20] DEBUG
[org.apache.directory.server.core.authn.AuthenticationService] - Testing
if entry name = 'ou=users,dc=example,dc=com' exists
[20:38:20] DEBUG
[org.apache.directory.server.core.partition.DefaultPartitionNexus] -
Check if DN
'2.5.4.11=users,0.9.2342.19200300.100.1.25=example,0.9.2342.19200300.100.1.25=com'
exists.
[20:38:20] WARN
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Client not found in Kerberos database (6)
org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
Client not found in Kerberos database
at
org.apache.directory.server.kerberos.shared.service.GetPrincipalStoreEntry.getEntry(GetPrincipalStoreEntry.java:62)
at
org.apache.directory.server.kerberos.kdc.authentication.GetClientEntry.execute(GetClientEntry.java:44)
at
org.apache.mina.handler.chain.IoHandlerChain.callNextCommand(IoHandlerChain.java:201)
at
org.apache.mina.handler.chain.IoHandlerChain.access$500(IoHandlerChain.java:36)
at
org.apache.mina.handler.chain.IoHandlerChain$Entry$1.execute(IoHandlerChain.java:317)
at
org.apache.directory.server.kerberos.kdc.SelectEncryptionType.execute(SelectEncryptionType.java:62)
at
org.apache.mina.handler.chain.IoHandlerChain.callNextCommand(IoHandlerChain.java:201)
at
org.apache.mina.handler.chain.IoHandlerChain.access$500(IoHandlerChain.java:36)
at
org.apache.mina.handler.chain.IoHandlerChain$Entry$1.execute(IoHandlerChain.java:317)
at
org.apache.directory.server.kerberos.kdc.authentication.ConfigureAuthenticationChain.execute(ConfigureAuthenticationChain.java:56)
at
org.apache.mina.handler.chain.IoHandlerChain.callNextCommand(IoHandlerChain.java:201)
at
org.apache.mina.handler.chain.IoHandlerChain.access$500(IoHandlerChain.java:36)
at
org.apache.mina.handler.chain.IoHandlerChain$Entry$1.execute(IoHandlerChain.java:317)
at
org.apache.directory.server.kerberos.kdc.MonitorRequest.execute(MonitorRequest.java:93)
at
org.apache.mina.handler.chain.IoHandlerChain.callNextCommand(IoHandlerChain.java:201)
at
org.apache.mina.handler.chain.IoHandlerChain.access$500(IoHandlerChain.java:36)
at
org.apache.mina.handler.chain.IoHandlerChain$Entry$1.execute(IoHandlerChain.java:317)
at
org.apache.mina.handler.chain.IoHandlerChain$1.execute(IoHandlerChain.java:63)
at
org.apache.mina.handler.chain.IoHandlerChain.callNextCommand(IoHandlerChain.java:201)
at
org.apache.mina.handler.chain.IoHandlerChain.execute(IoHandlerChain.java:193)
at
org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:162)
at
org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived(AbstractIoFilterChain.java:570)
at
org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
at
org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
at
org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
at
org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:220)
at
org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:264)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:650)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)
at java.lang.Thread.run(Thread.java:595)
Caused by:
org.apache.directory.server.protocol.shared.ServiceConfigurationException:
Failed to get initial context ou=users,dc=example,dc=com
at
org.apache.directory.server.kerberos.shared.store.SingleBaseSearch.execute(SingleBaseSearch.java:109)
at
org.apache.directory.server.kerberos.shared.store.SingleBaseSearch.getPrincipal(SingleBaseSearch.java:88)
at
org.apache.directory.server.kerberos.shared.store.JndiPrincipalStoreImpl.getPrincipal(JndiPrincipalStoreImpl.java:84)
at
org.apache.directory.server.kerberos.shared.service.GetPrincipalStoreEntry.getEntry(GetPrincipalStoreEntry.java:58)
... 29 more
Caused by:
org.apache.directory.shared.ldap.exception.LdapNameNotFoundException:
ou=users,dc=example,dc=com
at
org.apache.directory.server.core.partition.DefaultPartitionNexus.getPartition(DefaultPartitionNexus.java:1114)
at
org.apache.directory.server.core.partition.DefaultPartitionNexus.hasEntry(DefaultPartitionNexus.java:1035)
at
org.apache.directory.server.core.interceptor.InterceptorChain$1.hasEntry(InterceptorChain.java:165)
at
org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.hasEntry(InterceptorChain.java:1310)
at
org.apache.directory.server.core.interceptor.BaseInterceptor.hasEntry(BaseInterceptor.java:148)
at
org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.hasEntry(InterceptorChain.java:1310)
at
org.apache.directory.server.core.interceptor.BaseInterceptor.hasEntry(BaseInterceptor.java:148)
at
org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.hasEntry(InterceptorChain.java:1310)
at
org.apache.directory.server.core.interceptor.BaseInterceptor.hasEntry(BaseInterceptor.java:148)
at
org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.hasEntry(InterceptorChain.java:1310)
at
org.apache.directory.server.core.exception.ExceptionService.assertHasEntry(ExceptionService.java:565)
at
org.apache.directory.server.core.exception.ExceptionService.lookup(ExceptionService.java:291)
at
org.apache.directory.server.core.interceptor.InterceptorChain.lookup(InterceptorChain.java:902)
at
org.apache.directory.server.core.partition.PartitionNexusProxy.lookup(PartitionNexusProxy.java:546)
at
org.apache.directory.server.core.authz.AuthorizationService.hasEntry(AuthorizationService.java:619)
at
org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.hasEntry(InterceptorChain.java:1310)
at
org.apache.directory.server.core.interceptor.BaseInterceptor.hasEntry(BaseInterceptor.java:148)
at
org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.hasEntry(InterceptorChain.java:1310)
at
org.apache.directory.server.core.authn.AuthenticationService.hasEntry(AuthenticationService.java:327)
at
org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.hasEntry(InterceptorChain.java:1310)
at
org.apache.directory.server.core.normalization.NormalizationService.hasEntry(NormalizationService.java:356)
at
org.apache.directory.server.core.interceptor.InterceptorChain.hasEntry(InterceptorChain.java:924)
at
org.apache.directory.server.core.partition.PartitionNexusProxy.hasEntry(PartitionNexusProxy.java:568)
at
org.apache.directory.server.core.partition.PartitionNexusProxy.hasEntry(PartitionNexusProxy.java:556)
at
org.apache.directory.server.core.jndi.ServerContext.<init>(ServerContext.java:163)
at
org.apache.directory.server.core.jndi.ServerDirContext.<init>(ServerDirContext.java:88)
at
org.apache.directory.server.core.jndi.ServerLdapContext.<init>(ServerLdapContext.java:63)
at
org.apache.directory.server.core.DefaultDirectoryService.getJndiContext(DefaultDirectoryService.java:195)
at
org.apache.directory.server.core.jndi.AbstractContextFactory.getInitialContext(AbstractContextFactory.java:147)
at
org.apache.directory.server.kerberos.shared.store.SingleBaseSearch.execute(SingleBaseSearch.java:104)
... 32 more
[20:38:20] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Responding to request with error:
explanatory text: Client not found in Kerberos database
error code: 6
clientPrincipal: null
client time: 20080114193820Z
serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
server time: null
[20:38:20] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- /127.0.1.1:32907 SENT:
org.apache.directory.server.kerberos.shared.messages.ErrorMessage@705d28
[20:38:20] DEBUG [org.apache.mina.filter.executor.ExecutorFilter] -
Exiting since queue is empty for /127.0.1.1:32907
[
Re: Kerberos configuration with wrong user DN...
Posted by Emmanuel Lecharny <el...@gmail.com>.
Hi Aleksandar !
Aleksandar Vidakovic wrote:
> Salut,
>
> just wanted to write a little follow-up concerning this thread:
>
> 1. ADS runs amazingly stable... ;-)
> 2. Configuration with JBoss container authentication, Liferay and
> Alfresco runs like a charm
>
> What does not work:
>
> It turned out that the Kerberos authentication in Alfresco is still not
> very stable; that's why the CIFS server does not work with ADS. I
> decided to use Webdav for Windows clients; and this works perfectly.
>
> ADS is running now for a week with no problems (ca. 10 users). In the
> near future we will serve more users... I'll post my experiences here.
>
> Thanks for this nice piece of software ;-)
>
Thanks for using it, and more important, to give us some feedback !
What would be interesting is to get a description of what you did to
have ADS working with Alfresco. Some of our users might be interested in
having a tutorial about it ( like what we have here for thunderbird :
http://directory.apache.org/apacheds/1.0/41-mozilla-thunderbird.html or
for tomcat : http://directory.apache.org/apacheds/1.0/42-apache-tomcat.html)
> Looking forward to the 2.0 release...
>
We are working on it :)
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
Re: Kerberos configuration with wrong user DN...
Posted by Aleksandar Vidakovic <sp...@gmx.net>.
Salut,
just wanted to write a little follow-up concerning this thread:
1. ADS runs amazingly stable... ;-)
2. Configuration with JBoss container authentication, Liferay and
Alfresco runs like a charm
What does not work:
It turned out that the Kerberos authentication in Alfresco is still not
very stable; that's why the CIFS server does not work with ADS. I
decided to use Webdav for Windows clients; and this works perfectly.
ADS is running now for a week with no problems (ca. 10 users). In the
near future we will serve more users... I'll post my experiences here.
Thanks for this nice piece of software ;-)
Looking forward to the 2.0 release...
Cheers,
Aleks
Emmanuel Lecharny wrote:
> Aleksandar Vidakovic wrote:
>> Emmanuel,
>>
>> does it make a difference if I'm using version 1.5.1 or 1.0.2 (except
>> the obvious configuration differences)?
>>
> Well, 1.0 version is stable, but so stable that it's almost dead :) We
> won't carry new modifications or improvement in this version which is
> nearly 2 years old.
>
> Version 1.5.1 is 'unstable' by mean it's a version on which we are
> working, and adding new features. It's around 3 times faster than 1.0,
> as far less bugs, and us much more easy to configure (especially when it
> comes to extend the schema)
>> Because I was using 1.5.1 and after reading the articles on the website
>> a little bit more carefully it seems to me that 1.5.1 is some kind of
>> developer version...
>>
> More or less, but we really think that it's much better than the 1.0
> version. You have to know that we run all the 1.0 tests on te 1.5
> version, and that we have more tests in 1.5 than in 1.0.
>
> So, yes, it's a developper version, but as we have release, it's
> considered as stable, except that we introduce new features in each
> minor version (1.5.1 to 1.5.2, for instance).
>
> This won't last forever, as we are migrating to 2.0 in the next few months.
>> Thanks again...
>>
>> Cheers,
>>
>> Aleks
Re: Kerberos configuration with wrong user DN...
Posted by Emmanuel Lecharny <el...@gmail.com>.
Aleksandar Vidakovic wrote:
> Emmanuel,
>
> does it make a difference if I'm using version 1.5.1 or 1.0.2 (except
> the obvious configuration differences)?
>
Well, 1.0 version is stable, but so stable that it's almost dead :) We
won't carry new modifications or improvement in this version which is
nearly 2 years old.
Version 1.5.1 is 'unstable' by mean it's a version on which we are
working, and adding new features. It's around 3 times faster than 1.0,
as far less bugs, and us much more easy to configure (especially when it
comes to extend the schema)
> Because I was using 1.5.1 and after reading the articles on the website
> a little bit more carefully it seems to me that 1.5.1 is some kind of
> developer version...
>
More or less, but we really think that it's much better than the 1.0
version. You have to know that we run all the 1.0 tests on te 1.5
version, and that we have more tests in 1.5 than in 1.0.
So, yes, it's a developper version, but as we have release, it's
considered as stable, except that we introduce new features in each
minor version (1.5.1 to 1.5.2, for instance).
This won't last forever, as we are migrating to 2.0 in the next few months.
> Thanks again...
>
> Cheers,
>
> Aleks
>
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
Re: Kerberos configuration with wrong user DN...
Posted by Aleksandar Vidakovic <sp...@gmx.net>.
Emmanuel,
does it make a difference if I'm using version 1.5.1 or 1.0.2 (except
the obvious configuration differences)?
Because I was using 1.5.1 and after reading the articles on the website
a little bit more carefully it seems to me that 1.5.1 is some kind of
developer version...
Thanks again...
Cheers,
Aleks
Emmanuel Lecharny wrote:
> Aleksandar Vidakovic wrote:
>> As I understand it this means that the client is sending the right
>> information and something is badly configured on the ApacheDS side.
>> Right?
>>
> Correct. It seems that the server is still looking in the wrong place :
>
> [org.apache.directory.server.core.partition.DefaultPartitionNexus] -
> Check if DN
> '2.5.4.11=users,0.9.2342.19200300.100.1.25=example,0.9.2342.19200300.100.1.25=com'
>
>
>
>
> Is the new server.xml in place ? Has the server been restarted? Are you
> sure that the server.xml used is not the previous one ?
>> And then a little bit further I see this:
>>
>> [log]
>>
>> at
>> org.apache.directory.server.kerberos.shared.store.SingleBaseSearch.execute(SingleBaseSearch.java:104)
>>
>> ... 32 more
>> [12:11:13] DEBUG
>> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
>> - Responding to request with error:
>> explanatory text: Client not found in Kerberos database
>> error code: 6
>> clientPrincipal: null
>> client time: 20080115111113Z
>> serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
>> server time: null
>>
>> [/log]
>>
>> This is something that I wouldn't expect here; I did a new ApacheDS
>> installation and this entry doesn't exist in my LDIF that I am
>> importing. Is this log entry caused by the kerberos client?
>>
> I think that you don't run the good server, or that you are using a
> previous install somehow.
Re: Kerberos configuration with wrong user DN...
Posted by Emmanuel Lecharny <el...@gmail.com>.
Aleksandar Vidakovic wrote:
> As I understand it this means that the client is sending the right
> information and something is badly configured on the ApacheDS side. Right?
>
Correct. It seems that the server is still looking in the wrong place :
[org.apache.directory.server.core.partition.DefaultPartitionNexus] -
Check if DN
'2.5.4.11=users,0.9.2342.19200300.100.1.25=example,0.9.2342.19200300.100.1.25=com'
Is the new server.xml in place ? Has the server been restarted? Are you
sure that the server.xml used is not the previous one ?
> And then a little bit further I see this:
>
> [log]
>
> at
> org.apache.directory.server.kerberos.shared.store.SingleBaseSearch.execute(SingleBaseSearch.java:104)
> ... 32 more
> [12:11:13] DEBUG
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
> - Responding to request with error:
> explanatory text: Client not found in Kerberos database
> error code: 6
> clientPrincipal: null
> client time: 20080115111113Z
> serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
> server time: null
>
> [/log]
>
> This is something that I wouldn't expect here; I did a new ApacheDS
> installation and this entry doesn't exist in my LDIF that I am
> importing. Is this log entry caused by the kerberos client?
>
I think that you don't run the good server, or that you are using a
previous install somehow.
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
Re: Kerberos configuration with wrong user DN...
Posted by Aleksandar Vidakovic <sp...@gmx.net>.
Salut Emmanuel,
sorry to bother you again... but the change didn't help. There are two
things that I don't understand in the log files...
First I see this:
[log]
[12:11:13] DEBUG
[org.apache.directory.server.kerberos.kdc.MonitorRequest] - Received
Authentication Service (AS) request:
messageType: initial authentication request (10)
protocolVersionNumber: 5
clientAddress: 127.0.1.1
nonce: 1200395473
kdcOptions: RENEWABLE_OK
clientPrincipal: ldap/ldap.nviasms.eu@NVIASMS.EU
serverPrincipal: krbtgt/NVIASMS.EU@NVIASMS.EU
encryptionType: aes256-cts-hmac-sha1-96 (18),
aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), rc4-hmac (23),
des-cbc-crc (1), des-cbc-md5 (3), des-cbc-md4 (2)
realm: NVIASMS.EU
from time: 20080115111113Z
till time: 20080116111113Z
renew-till time: null
hostAddresses: null
[12:11:13] DEBUG
[org.apache.directory.server.kerberos.kdc.SelectEncryptionType] -
Session will use encryption type des-cbc-md5 (3).
[12:11:13] DEBUG
[org.apache.directory.server.core.authn.AuthenticationService] - Bind
operation. bindDn: uid=admin,ou=system
[12:11:13] DEBUG
[org.apache.directory.server.core.authn.AuthenticationService] - bind:
principal: null
[12:11:13] DEBUG
[org.apache.directory.server.core.authn.SimpleAuthenticator] -
Authenticating 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
[12:11:13] DEBUG
[org.apache.directory.server.core.authn.SimpleAuthenticator] -
0.9.2342.19200300.100.1.1=admin,2.5.4.11=system Authenticated
[12:11:13] DEBUG
[org.apache.directory.server.core.authn.AuthenticationService] - Testing
if entry name = 'ou=users,dc=example,dc=com' exists
[12:11:13] DEBUG
[org.apache.directory.server.core.partition.DefaultPartitionNexus] -
Check if DN
'2.5.4.11=users,0.9.2342.19200300.100.1.25=example,0.9.2342.19200300.100.1.25=com'
exists.
[12:11:13] WARN
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Client not found in Kerberos database (6)
org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
Client not found in Kerberos database
at
org.apache.directory.server.kerberos.shared.service.GetPrincipalStoreEntry.getEntry(GetPrincipalStoreEntry.java:62)
at
...
[/log]
As I understand it this means that the client is sending the right
information and something is badly configured on the ApacheDS side. Right?
And then a little bit further I see this:
[log]
at
org.apache.directory.server.kerberos.shared.store.SingleBaseSearch.execute(SingleBaseSearch.java:104)
... 32 more
[12:11:13] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Responding to request with error:
explanatory text: Client not found in Kerberos database
error code: 6
clientPrincipal: null
client time: 20080115111113Z
serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
server time: null
[/log]
This is something that I wouldn't expect here; I did a new ApacheDS
installation and this entry doesn't exist in my LDIF that I am
importing. Is this log entry caused by the kerberos client?
My Keytab shows following entries:
[console]
ktutil: rkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 1 ldap/ldap.nviasms.eu@NVIASMS.EU
[/console]
Is there some sort of cache that I am not aware of?
Thanks for your help.
Cheers,
Aleks
Emmanuel Lecharny wrote:
> Aleksandar Vidakovic wrote:
>> I am pretty sure that my LDAP configuration is OK. What I don't
>> understand is the content of the log file (see below). Obviously
>> something tries to search users under "ou=users,dc=example,dc=com" and I
>> am not sure if this is a mistake caused by the client or a wrong
>> ApacheDS configuration (my basedn is "dc=nviasms,dc=eu").
>>
> Change this line in the server.xml file :
>
> <property name="searchBaseDn" value="ou=users,ou=system" />
>
> to :
>
> <property name="searchBaseDn" value="dc=nviasms,dc=eu" />
>
> assuming you have created a partion with this name to store the users.
>
> (The searchBaseDn contains the place where the server will look for users)
Re: Kerberos configuration with wrong user DN...
Posted by Emmanuel Lecharny <el...@gmail.com>.
Aleksandar Vidakovic wrote:
> I am pretty sure that my LDAP configuration is OK. What I don't
> understand is the content of the log file (see below). Obviously
> something tries to search users under "ou=users,dc=example,dc=com" and I
> am not sure if this is a mistake caused by the client or a wrong
> ApacheDS configuration (my basedn is "dc=nviasms,dc=eu").
>
Change this line in the server.xml file :
<property name="searchBaseDn" value="ou=users,ou=system" />
to :
<property name="searchBaseDn" value="dc=nviasms,dc=eu" />
assuming you have created a partion with this name to store the users.
(The searchBaseDn contains the place where the server will look for users)
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
Re: Kerberos configuration with wrong user DN...
Posted by Aleksandar Vidakovic <sp...@gmx.net>.
Actually I have a small project with an build.xml that does the setup.
It contains everything that I could find in forums, wikis etc. about
authentication with Liferay, Alfresco, XWiki, Probe, Subversion, Apache
HTTPD. I'll be happy to publish this once it's working (at least for
Alfresco and Liferay).
Aleks
Emmanuel Lecharny wrote:
> Aleksandar Vidakovic wrote:
>> Hi again,
>>
>> maybe I should explain what I want to do ultimately: I'm using ApacheDS
>> together with the Alfresco document management system and Liferay portal
>> server. Authentication already works fine for the portal and Alfresco's
>> web front end.
>>
>> Now I want to use Alfresco's CIFS server for Windows clients as it's the
>> easiest way for users to edit documents. But: Alfresco's CIFS component
>> is only able to authenticate against a Kerberos server.
>>
>> That's why...
>>
>> Cheers,
>>
>> Aleks
> That's an interesting use case. We would be very interested to get some
> feedback on how you installed and configured ADS with both products !
>
> Thanks for the info.
Re: Kerberos configuration with wrong user DN...
Posted by Emmanuel Lecharny <el...@gmail.com>.
Aleksandar Vidakovic wrote:
> Hi again,
>
> maybe I should explain what I want to do ultimately: I'm using ApacheDS
> together with the Alfresco document management system and Liferay portal
> server. Authentication already works fine for the portal and Alfresco's
> web front end.
>
> Now I want to use Alfresco's CIFS server for Windows clients as it's the
> easiest way for users to edit documents. But: Alfresco's CIFS component
> is only able to authenticate against a Kerberos server.
>
> That's why...
>
> Cheers,
>
> Aleks
That's an interesting use case. We would be very interested to get some
feedback on how you installed and configured ADS with both products !
Thanks for the info.
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
Re: Kerberos configuration with wrong user DN...
Posted by Aleksandar Vidakovic <sp...@gmx.net>.
Hi again,
maybe I should explain what I want to do ultimately: I'm using ApacheDS
together with the Alfresco document management system and Liferay portal
server. Authentication already works fine for the portal and Alfresco's
web front end.
Now I want to use Alfresco's CIFS server for Windows clients as it's the
easiest way for users to edit documents. But: Alfresco's CIFS component
is only able to authenticate against a Kerberos server.
That's why...
Cheers,
Aleks
Emmanuel Lecharny wrote:
> Aleksandar Vidakovic wrote:
>> Salut all,
>>
> Hi Aleksandar,
>> I'm trying to configure ApacheDS as a Kerberos server
> ADS 1.0.2, I guess ?
>> and used the
>> article under
>> http://cwiki.apache.org/DIRxINTEROP/kerberos-authentication-to-openldap-using-apacheds.html
>>
>> as a reference.
>>
>> I started with the "example.com" example and modified it later to my
>> needs. When I start ApacheDS with my modifications (only the domain and
>> user DN changed) no users can be found when I try to connect with:
>>
>> kinit -k ldap/ldap.nviasms.eu@NVIASMS.EU
>>
>> I am pretty sure that my LDAP configuration is OK.
> Can you post your server.xml configuration file ? Without it, it's very
> difficult to say if something is wrong or not.
>
> Thanks !
Re: Kerberos configuration with wrong user DN...
Posted by Aleksandar Vidakovic <sp...@gmx.net>.
Salut Emmanuel,
should have thought of that earlier ;-) ... here is my server.xml
Thanks for the fast reply.
Cheers,
Aleks
Emmanuel Lecharny wrote:
> Aleksandar Vidakovic wrote:
>> Salut all,
>>
> Hi Aleksandar,
>> I'm trying to configure ApacheDS as a Kerberos server
> ADS 1.0.2, I guess ?
>> and used the
>> article under
>> http://cwiki.apache.org/DIRxINTEROP/kerberos-authentication-to-openldap-using-apacheds.html
>>
>> as a reference.
>>
>> I started with the "example.com" example and modified it later to my
>> needs. When I start ApacheDS with my modifications (only the domain and
>> user DN changed) no users can be found when I try to connect with:
>>
>> kinit -k ldap/ldap.nviasms.eu@NVIASMS.EU
>>
>> I am pretty sure that my LDAP configuration is OK.
> Can you post your server.xml configuration file ? Without it, it's very
> difficult to say if something is wrong or not.
>
> Thanks !
Re: Kerberos configuration with wrong user DN...
Posted by Emmanuel Lecharny <el...@gmail.com>.
Aleksandar Vidakovic wrote:
> Salut all,
>
Hi Aleksandar,
> I'm trying to configure ApacheDS as a Kerberos server
ADS 1.0.2, I guess ?
> and used the
> article under
> http://cwiki.apache.org/DIRxINTEROP/kerberos-authentication-to-openldap-using-apacheds.html
> as a reference.
>
> I started with the "example.com" example and modified it later to my
> needs. When I start ApacheDS with my modifications (only the domain and
> user DN changed) no users can be found when I try to connect with:
>
> kinit -k ldap/ldap.nviasms.eu@NVIASMS.EU
>
> I am pretty sure that my LDAP configuration is OK.
Can you post your server.xml configuration file ? Without it, it's very
difficult to say if something is wrong or not.
Thanks !
>
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org