You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by "CORUM, M E [AG/1000]" <m....@monsanto.com> on 2007/04/23 20:22:11 UTC

RE: [ApacheDS] 1.5 Kerberos Support and Custom Attribute in Schema

Kerberos Experts,

I now have 1.5 working with some basic (very basic) Kerberos stuff.  I'm
able from a JUnit test to log on and verify that a different
account/user is valid.  Before I go on to explain my next issue, I
should explain what I'm trying to accomplish.

My task is to create some remote administration Java code for Active
Directory.  I've been doing Kerberos for awhile with the Quest/Vintela
VSJ and VSJ Kerberos packages and we have a lot of utility code built up
around these tools.  We already have an authenticated LDAP client piece
that we use to do some simple things like verify an account or its SPNs
and change a password.  We will now be expanding this code to do more
"intrusive" functions so we'd like to set up a test environment on our
local machines that simulates AD as closely as possible for the purpose
of this client code we are writing.  Examples of new features would be
adding an account or adding a user to an AD group.  I know almost
nothing about LDAP but I know a few things about Kerberos and working
with AD's Kerberos.

My next step after verifying accounts (which I can do now) against
ApacheDS is to verify the SPNs.  In Active Directory, an SPN is a
"servicePrincipalName" attribute that can have a list of values
(aliases) for the service that the account represents.  When I try to
add a "servicePrincipalName" to a user in my kerberos.ldif file (for
loading on startup), the startup fails to load the ldif file with the
following error:

[13:00:25] ERROR
[org.apache.directory.server.protocol.shared.store.LdifFileLoader] -
Failed to import LDIF into backing store.
org.apache.directory.shared.ldap.exception.LdapInvalidAttributeIdentifie
rException: serviceprincipalname not found in attribute registry!
	at
org.apache.directory.server.core.schema.SchemaService.check(SchemaServic
e.java:1809)

I assume I could add this attribute to the schema.  However, when I read
the custom schema stuff in the 1.0 documentation, it refers to a
bootstrapSchemas section in the server.xml that doesn't exist.  I tried
putting it in and the server won't come up so that doesn't work.  How is
this done now?  I assume it has changed but the change isn't documented.

Can anybody help with adding an attribute to the schema or set of
schemas that ApacheDS uses?

MikeC


---------------------------------------------------------------------------------------------------------
This e-mail message may contain privileged and/or confidential information, and is intended to be received only by persons entitled to receive such information. If you have received this e-mail in error, please notify the sender immediately. Please delete it and all attachments from any servers, hard drives or any other media. Other use of this e-mail by you is strictly prohibited.


All e-mails and attachments sent and received are subject to monitoring, reading and archival by Monsanto. The recipient of this e-mail is solely responsible for checking for the presence of "Viruses" or other "Malware". Monsanto accepts no liability for any damage caused by any such code transmitted by or accompanying this e-mail or any attachment.
---------------------------------------------------------------------------------------------------------

RE: [ApacheDS] 1.5 Kerberos Support and Custom Attribute in Schema

Posted by "CORUM, M E [AG/1000]" <m....@monsanto.com>.
Stefan,

Yes, thank you.  I had found that page earlier but had not read it yet.
The Kerberos stuff from the page that referenced it was inaccurate so I
wasn't sure whether these wiki pages were trustworthy or not.  I'll dig
into this more deeply.  Right now, I'm looking into the OIDs for Active
Directory's custom attributes (the over 200 additions to the standard
that AD makes).

Thanks again,

MikeC

-----Original Message-----
From: Stefan Seelmann [mailto:mail@stefan-seelmann.de] 
Sent: Monday, April 23, 2007 3:28 PM
To: users@directory.apache.org
Subject: Re: [ApacheDS] 1.5 Kerberos Support and Custom Attribute in
Schema

Hi Mike,

CORUM, M E [AG/1000] schrieb:
> 
> [13:00:25] ERROR
> [org.apache.directory.server.protocol.shared.store.LdifFileLoader] -
> Failed to import LDIF into backing store.
>
org.apache.directory.shared.ldap.exception.LdapInvalidAttributeIdentifie
> rException: serviceprincipalname not found in attribute registry!
> 	at
>
org.apache.directory.server.core.schema.SchemaService.check(SchemaServic
> e.java:1809)
> 
> I assume I could add this attribute to the schema.  However, when I
read
> the custom schema stuff in the 1.0 documentation, it refers to a
> bootstrapSchemas section in the server.xml that doesn't exist.  I
tried
> putting it in and the server won't come up so that doesn't work.  How
is
> this done now?  I assume it has changed but the change isn't
documented.
> 
> Can anybody help with adding an attribute to the schema or set of
> schemas that ApacheDS uses?
> 

The schema subsystem has totally changed with 1.5. Here you can find a
first (but good) draft of some documentation:
http://cwiki.apache.org/confluence/display/DIRxSBOX/Add+your+first+eleme
nts+to+the+schema

Regards,
Stefan Seelmann


---------------------------------------------------------------------------------------------------------
This e-mail message may contain privileged and/or confidential information, and is intended to be received only by persons entitled to receive such information. If you have received this e-mail in error, please notify the sender immediately. Please delete it and all attachments from any servers, hard drives or any other media. Other use of this e-mail by you is strictly prohibited.


All e-mails and attachments sent and received are subject to monitoring, reading and archival by Monsanto. The recipient of this e-mail is solely responsible for checking for the presence of "Viruses" or other "Malware". Monsanto accepts no liability for any damage caused by any such code transmitted by or accompanying this e-mail or any attachment.
---------------------------------------------------------------------------------------------------------

Re: [ApacheDS] 1.5 Kerberos Support and Custom Attribute in Schema

Posted by Stefan Seelmann <ma...@stefan-seelmann.de>.
Hi Mike,

CORUM, M E [AG/1000] schrieb:
> 
> [13:00:25] ERROR
> [org.apache.directory.server.protocol.shared.store.LdifFileLoader] -
> Failed to import LDIF into backing store.
> org.apache.directory.shared.ldap.exception.LdapInvalidAttributeIdentifie
> rException: serviceprincipalname not found in attribute registry!
> 	at
> org.apache.directory.server.core.schema.SchemaService.check(SchemaServic
> e.java:1809)
> 
> I assume I could add this attribute to the schema.  However, when I read
> the custom schema stuff in the 1.0 documentation, it refers to a
> bootstrapSchemas section in the server.xml that doesn't exist.  I tried
> putting it in and the server won't come up so that doesn't work.  How is
> this done now?  I assume it has changed but the change isn't documented.
> 
> Can anybody help with adding an attribute to the schema or set of
> schemas that ApacheDS uses?
> 

The schema subsystem has totally changed with 1.5. Here you can find a
first (but good) draft of some documentation:
http://cwiki.apache.org/confluence/display/DIRxSBOX/Add+your+first+elements+to+the+schema

Regards,
Stefan Seelmann

RE: [ApacheDS] 1.5 Kerberos Support and Custom Attribute in Schema

Posted by "CORUM, M E [AG/1000]" <m....@monsanto.com>.
Should have said group "object" not attribute.

MikeC

-----Original Message-----
From: CORUM, M E [AG/1000] [mailto:m.e.corum@monsanto.com] 
Sent: Wednesday, April 25, 2007 8:09 AM
To: users@directory.apache.org; erodriguez@apache.org
Subject: RE: [ApacheDS] 1.5 Kerberos Support and Custom Attribute in
Schema

Enrique,

I now have SPNs and UPNs working.  It turned out that they were just
attributes.  I did have to add the objectCategory class but so far it
has gone well.  I also have a query working to find out the members of a
group (had to add the AD-specific "group" attribute but "member" was
already there.)  I'm now working on testing my client for getting a list
of attributes for the user/account and for adding users to groups.

MikeC

-----Original Message-----
From: Enrique Rodriguez [mailto:enriquer9@gmail.com] 
Sent: Tuesday, April 24, 2007 10:12 PM
To: users@directory.apache.org
Subject: Re: [ApacheDS] 1.5 Kerberos Support and Custom Attribute in
Schema

On 4/23/07, CORUM, M E [AG/1000] <m....@monsanto.com> wrote:
> ...
> I now have 1.5 working with some basic (very basic) Kerberos stuff.
I'm
> able from a JUnit test to log on and verify that a different
> account/user is valid.  Before I go on to explain my next issue, I
> should explain what I'm trying to accomplish.

I'm happy to see you're progressing.  I know the config is a bit
convoluted but we have a better story in the works which will
hopefully coincide with doco that isn't "hidden."

> ... we'd like to set up a test environment on our
> local machines that simulates AD as closely as possible for the
purpose
> of this client code we are writing.

I would like to work closely with you to make Apache Directory
"simulate AD as closely as possible" for purposes of "testing." ;)

All kidding aside, this is interesting work, but I really need to
focus on the "Realm Control Initiatives," since they are prerequisites
for an actually useful Kerberos server.

http://cwiki.apache.org/confluence/display/DIRxSBOX/Realm+Control+Initia
tives

> My next step after verifying accounts (which I can do now) against
> ApacheDS is to verify the SPNs.  In Active Directory, an SPN is a
> "servicePrincipalName" attribute that can have a list of values
> (aliases) for the service that the account represents.  When I try to
> add a "servicePrincipalName" to a user in my kerberos.ldif file (for
> loading on startup), the startup fails to load the ldif file with the
> following error:
> ...

Yeah, this is classic LDAP here.  Instead of adding attributes to the
schema we use for Kerberos it makes more sense to create a new schema
and put the 200 or so AD attributes in there.

> Can anybody help with adding an attribute to the schema or set of
> schemas that ApacheDS uses?

Numerous people here should be able to help with schema setup and
probably there's some doco (I work off unit tests).  The issue closer
to home for me is getting the Kerberos protocol provider to work with
SPN's since this requires a new store implementation against a
different schema than the one we're using.  But, it's straight forward
JNDI programming.  Stores aren't pluggable now but we have techniques
for that.

Enrique


------------------------------------------------------------------------
---------------------------------
This e-mail message may contain privileged and/or confidential
information, and is intended to be received only by persons entitled to
receive such information. If you have received this e-mail in error,
please notify the sender immediately. Please delete it and all
attachments from any servers, hard drives or any other media. Other use
of this e-mail by you is strictly prohibited.


All e-mails and attachments sent and received are subject to monitoring,
reading and archival by Monsanto. The recipient of this e-mail is solely
responsible for checking for the presence of "Viruses" or other
"Malware". Monsanto accepts no liability for any damage caused by any
such code transmitted by or accompanying this e-mail or any attachment.
------------------------------------------------------------------------
---------------------------------



---------------------------------------------------------------------------------------------------------
This e-mail message may contain privileged and/or confidential information, and is intended to be received only by persons entitled to receive such information. If you have received this e-mail in error, please notify the sender immediately. Please delete it and all attachments from any servers, hard drives or any other media. Other use of this e-mail by you is strictly prohibited.


All e-mails and attachments sent and received are subject to monitoring, reading and archival by Monsanto. The recipient of this e-mail is solely responsible for checking for the presence of "Viruses" or other "Malware". Monsanto accepts no liability for any damage caused by any such code transmitted by or accompanying this e-mail or any attachment.
---------------------------------------------------------------------------------------------------------

RE: [ApacheDS] 1.5 Kerberos Support and Custom Attribute in Schema

Posted by "CORUM, M E [AG/1000]" <m....@monsanto.com>.
Enrique,

I now have SPNs and UPNs working.  It turned out that they were just
attributes.  I did have to add the objectCategory class but so far it
has gone well.  I also have a query working to find out the members of a
group (had to add the AD-specific "group" attribute but "member" was
already there.)  I'm now working on testing my client for getting a list
of attributes for the user/account and for adding users to groups.

MikeC

-----Original Message-----
From: Enrique Rodriguez [mailto:enriquer9@gmail.com] 
Sent: Tuesday, April 24, 2007 10:12 PM
To: users@directory.apache.org
Subject: Re: [ApacheDS] 1.5 Kerberos Support and Custom Attribute in
Schema

On 4/23/07, CORUM, M E [AG/1000] <m....@monsanto.com> wrote:
> ...
> I now have 1.5 working with some basic (very basic) Kerberos stuff.
I'm
> able from a JUnit test to log on and verify that a different
> account/user is valid.  Before I go on to explain my next issue, I
> should explain what I'm trying to accomplish.

I'm happy to see you're progressing.  I know the config is a bit
convoluted but we have a better story in the works which will
hopefully coincide with doco that isn't "hidden."

> ... we'd like to set up a test environment on our
> local machines that simulates AD as closely as possible for the
purpose
> of this client code we are writing.

I would like to work closely with you to make Apache Directory
"simulate AD as closely as possible" for purposes of "testing." ;)

All kidding aside, this is interesting work, but I really need to
focus on the "Realm Control Initiatives," since they are prerequisites
for an actually useful Kerberos server.

http://cwiki.apache.org/confluence/display/DIRxSBOX/Realm+Control+Initia
tives

> My next step after verifying accounts (which I can do now) against
> ApacheDS is to verify the SPNs.  In Active Directory, an SPN is a
> "servicePrincipalName" attribute that can have a list of values
> (aliases) for the service that the account represents.  When I try to
> add a "servicePrincipalName" to a user in my kerberos.ldif file (for
> loading on startup), the startup fails to load the ldif file with the
> following error:
> ...

Yeah, this is classic LDAP here.  Instead of adding attributes to the
schema we use for Kerberos it makes more sense to create a new schema
and put the 200 or so AD attributes in there.

> Can anybody help with adding an attribute to the schema or set of
> schemas that ApacheDS uses?

Numerous people here should be able to help with schema setup and
probably there's some doco (I work off unit tests).  The issue closer
to home for me is getting the Kerberos protocol provider to work with
SPN's since this requires a new store implementation against a
different schema than the one we're using.  But, it's straight forward
JNDI programming.  Stores aren't pluggable now but we have techniques
for that.

Enrique


---------------------------------------------------------------------------------------------------------
This e-mail message may contain privileged and/or confidential information, and is intended to be received only by persons entitled to receive such information. If you have received this e-mail in error, please notify the sender immediately. Please delete it and all attachments from any servers, hard drives or any other media. Other use of this e-mail by you is strictly prohibited.


All e-mails and attachments sent and received are subject to monitoring, reading and archival by Monsanto. The recipient of this e-mail is solely responsible for checking for the presence of "Viruses" or other "Malware". Monsanto accepts no liability for any damage caused by any such code transmitted by or accompanying this e-mail or any attachment.
---------------------------------------------------------------------------------------------------------

Re: [ApacheDS] 1.5 Kerberos Support and Custom Attribute in Schema

Posted by Enrique Rodriguez <en...@gmail.com>.
On 4/23/07, CORUM, M E [AG/1000] <m....@monsanto.com> wrote:
> ...
> I now have 1.5 working with some basic (very basic) Kerberos stuff.  I'm
> able from a JUnit test to log on and verify that a different
> account/user is valid.  Before I go on to explain my next issue, I
> should explain what I'm trying to accomplish.

I'm happy to see you're progressing.  I know the config is a bit
convoluted but we have a better story in the works which will
hopefully coincide with doco that isn't "hidden."

> ... we'd like to set up a test environment on our
> local machines that simulates AD as closely as possible for the purpose
> of this client code we are writing.

I would like to work closely with you to make Apache Directory
"simulate AD as closely as possible" for purposes of "testing." ;)

All kidding aside, this is interesting work, but I really need to
focus on the "Realm Control Initiatives," since they are prerequisites
for an actually useful Kerberos server.

http://cwiki.apache.org/confluence/display/DIRxSBOX/Realm+Control+Initiatives

> My next step after verifying accounts (which I can do now) against
> ApacheDS is to verify the SPNs.  In Active Directory, an SPN is a
> "servicePrincipalName" attribute that can have a list of values
> (aliases) for the service that the account represents.  When I try to
> add a "servicePrincipalName" to a user in my kerberos.ldif file (for
> loading on startup), the startup fails to load the ldif file with the
> following error:
> ...

Yeah, this is classic LDAP here.  Instead of adding attributes to the
schema we use for Kerberos it makes more sense to create a new schema
and put the 200 or so AD attributes in there.

> Can anybody help with adding an attribute to the schema or set of
> schemas that ApacheDS uses?

Numerous people here should be able to help with schema setup and
probably there's some doco (I work off unit tests).  The issue closer
to home for me is getting the Kerberos protocol provider to work with
SPN's since this requires a new store implementation against a
different schema than the one we're using.  But, it's straight forward
JNDI programming.  Stores aren't pluggable now but we have techniques
for that.

Enrique