You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by Spark Shen <sm...@gmail.com> on 2007/11/29 08:29:20 UTC

[kerberos] How to add client/server information into kerberos database

Hi,

I am playing around with apacheds kerberos features these days. As you may
notice
leo and I have some posts in the past few weeks. And thanks for your great
help. :-)

I configured apacheds[1] according to [2], and experimented with the short
form of 'Kerberos client components' [3].
Here below is my short form class:
public class SampleClient {

    public static void main(String[] args) throws UnknownHostException,
            IOException, KdcConnectionException {

        KerberosPrincipal clientPrincipal = new KerberosPrincipal(
                "spark@EXAMPLE.COM");
        String userPassword = <passwd>;
        String hostname = <ip>;
        int port = 88;
        KdcConnection con = new KdcConnection(hostname + ":" + port);
        KerberosTicket tgt = con.getTicketGrantingTicket(clientPrincipal,
                userPassword);
        System.out.println(tgt);
    }

}

And the output:
log4j:WARN No appenders could be found for logger (
org.apache.mina.filter.executor.ExecutorFilter).
log4j:WARN Please initialize the log4j system properly.
Exception in thread "main"
org.apache.directory.client.kerberos.KdcConnectionException: Client not
found in Kerberos database (6)
    at
org.apache.directory.client.kerberos.GetTicketGrantingTicket.processError(
GetTicketGrantingTicket.java:167)
    at org.apache.directory.client.kerberos.GetTicketGrantingTicket.execute(
GetTicketGrantingTicket.java:153)
    at
org.apache.directory.client.kerberos.KdcConnection.getTicketGrantingTicket(
KdcConnection.java:118)
    at
org.apache.directory.client.kerberos.KdcConnection.getTicketGrantingTicket(
KdcConnection.java:101)
    at kerberos.SampleClient.main(SampleClient.java:42)

I did not find document about how to add client/server information to kdc
server ,
would any one give me a hand? Thanks in advance.

I did not find a verbose kerberos  administration instruction on the web
site
(I believe it's under development), so I have to come here to take some of
your precious time.

[1] My modification to <apacheds>\instances\default\conf\server.xml
<bean id="*environment*" ...>
  <property name="*properties*">
    <props>
      <prop key="*kdc.entryBaseDn*">ou=users,dc=example,dc=com</prop>
...
</bean>
   <bean id="*kdcConfiguration*" class="*
org.apache.directory.server.kerberos.kdc.KdcConfiguration*" lazy-init="*
default*" autowire="*default*" dependency-check="*default*">
        <property name="*enabled*" value="*true*" />
       <property name="*ipPort*" value="*88*" />
</bean>
<bean id="*configuration*" ...>
  ...
  <property name="*kdcConfiguration*" ref="*kdcConfiguration*" />
  ...
</bean>

[2]
http://directory.apache.org/apacheds/1.5/kerberos-protocol-configuration.html

[3]
http://cwiki.apache.org/confluence/display/DIRxSBOX/Draft+-+Kerberos+client+components
-- 
Spark Shen
China Software Development Lab, IBM

Re: [kerberos] How to add client/server information into kerberos database

Posted by Enrique Rodriguez <en...@gmail.com>.

On Nov 29, 2007 1:23 PM, Enrique Rodriguez <en...@gmail.com> wrote:
> On Nov 28, 2007 11:29 PM, Spark Shen <sm...@gmail.com> wrote:
> > I did not find document about how to add client/server information to kdc
> > server ,
> > would any one give me a hand? Thanks in advance.
> > ...
>
> I think the best doc we currently have is for configuring SASL GSSAPI,
> since a subset of configuring SASL GSSAPI is configuring Kerberos
> principals, so the docs are pretty good here:
> ...

FWIW, I started a new draft of doco for configuring just Kerberos
principals.  This is basically a quick extraction of Kerberos
principal configuration from the aforementioned SASL GSSAPI doc.

http://cwiki.apache.org/confluence/display/DIRxSBOX/Draft+-+ApacheDS+Kerberos+principal+configuration

HTH,

Enrique

Re: [kerberos] How to add client/server information into kerberos database

Posted by Enrique Rodriguez <en...@gmail.com>.

On Nov 28, 2007 11:29 PM, Spark Shen <sm...@gmail.com> wrote:
> I did not find document about how to add client/server information to kdc
> server ,
> would any one give me a hand? Thanks in advance.
> ...

I think the best doc we currently have is for configuring SASL GSSAPI,
since a subset of configuring SASL GSSAPI is configuring Kerberos
principals, so the docs are pretty good here:

http://directory.apache.org/apacheds/1.5/howto-do-sasl-gssapi-authentication-to-apacheds.html

You can skip ahead to steps 12-14, in which you (#12) enable the
Kerberos protocol, (#13) enable the Key Derivation interceptor, and
then (#14) load an LDIF file.  You load principals using standard LDAP
means, so you can also use the LDAP protocol.  Though, for getting
started, an LDIF file is pretty straightforward.  In that doc is a
link to an LDIF showing how to format an LDIF file:

http://directory.apache.org/apacheds/1.5/howto-do-sasl-gssapi-authentication-to-apacheds.data/sasl-gssapi-example.ldif

The rest of your config looks OK.

Enrique