looks like you are trying to fetch the ticket for a different(wrong?) principal you created [email protected] but kinit shows [email protected]
On Wed, Mar 21, 2012 at 8:00 PM, Kamalakar M <[email protected]> wrote: > Hi Apache DS Team > > I required a help in creating the kerberos principals from java using apache > DS API. > > I am using krb5-1.10.1with OpenLDAP in the backend. > I am able to add principals using addprinc and authenticate using kinit from > Terminal. > > Environment Details: > Operating System: Mac OS X - Snow Leopard. > Kerberos: MIT, Version krb5-1.10.1 > Back End for Kerberos: Open LDAP 2.4.11 > Please find attached krb5.conf used. > > > > I would like to know the steps/procedure in order to create Kerberos(MIT) > Principals from JAVA using Apache DS API [So that kinit will get > authenticate and issue tickets]. > > With the following code i am able to > > See the 'krbprincipalkey' in Java Console. > Inserts an entry into Open LDAP. > Kindly check whether is this the right way to proceed. > > import java.io.IOException; > import java.nio.ByteBuffer; > > import javax.security.auth.kerberos.KerberosKey; > import javax.security.auth.kerberos.KerberosPrincipal; > > import org.apache.directory.ldap.client.api.LdapConnection; > import org.apache.directory.ldap.client.api.LdapNetworkConnection; > import org.apache.directory.shared.kerberos.codec.types.EncryptionType; > import org.apache.directory.shared.kerberos.components.EncryptionKey; > import org.apache.directory.shared.ldap.model.entry.Attribute; > import org.apache.directory.shared.ldap.model.entry.DefaultAttribute; > import org.apache.directory.shared.ldap.model.entry.DefaultEntry; > import org.apache.directory.shared.ldap.model.entry.Entry; > import org.apache.directory.shared.ldap.model.exception.LdapException; > public static void createPrincipalWithDSCode () throws LdapException, > IOException{ > String USERS_DN = "cn=EXAMPLE.COM,cn=Manager,dc=example,dc=com"; > String rdn ="[email protected]"; > String principalName = "[email protected]"; > String userPassword ="apple"; > String loginDN = "cn=Manager,dc=example,dc=com";// > ou=people,dc=example,dc=com"; > String loginDNPwd = "apple123$";// "people"; > > LdapConnection connection = null; > try { > connection = new LdapNetworkConnection("localhost", 389); > connection.bind(loginDN, loginDNPwd); > > Entry entry = new DefaultEntry(); > entry.setDn( rdn + "," + USERS_DN ); > entry.add( "objectClass", "krbPrincipal", > "krbPrincipalAux","krbTicketPolicyAux"); > entry.add("krbPrincipalName",principalName); > entry.add("krbLoginFailedCount","0"); > entry.add("krbTicketFlags", "0"); > entry.add("krbTicketFlags", "0"); > > KerberosPrincipal principal = new KerberosPrincipal(principalName); > KerberosKey kerberosKey = new KerberosKey(principal, > userPassword.toCharArray(), "DES"); > EncryptionKey encryptionKey = new EncryptionKey(EncryptionType.DES_CBC_MD5, > kerberosKey.getEncoded(), kerberosKey.getVersionNumber()); > Attribute keyAttribute = new DefaultAttribute("krbPrincipalKey"); > ByteBuffer buffer = ByteBuffer.allocate(encryptionKey.computeLength()); > encryptionKey.encode(buffer); > keyAttribute.add(new byte[][] { buffer.array() }); why are you inserting a 2D array here? > //entry.put(new Attribute[] { > getKeyAttribute(addContext.getSession().getDirectoryService().getSchemaManager(), > keys) }); > entry.put(new Attribute[]{keyAttribute}); > System.out.println("keyAttribute" +keyAttribute); > //entry.add(keyAttribute); > System.out.println("entry" +entry); > connection.add( entry ); > System.out.println("Entry has been created"); > System.out.println(connection); > connection.unBind(); > }catch (Exception e) { > e.printStackTrace(); > } > finally{ > connection.close(); > } > > } > JAVA Console: > keyAttribute krbPrincipalKey: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 > 0x0A 0x04 0x08 0xD3 0x45 0x25 0x46 0xA4 ...' > > entryEntry > dn: > [email protected],cn=EXAMPLE.COM,cn=Manager,dc=example,dc=com > objectClass: krbPrincipal > objectClass: krbPrincipalAux > objectClass: krbTicketPolicyAux > krbPrincipalKey: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 > 0xD3 0x45 0x25 0x46 0xA4 ...' > krbTicketFlags: 0 > krbLoginFailedCount: 0 > krbPrincipalName: [email protected] > > Entry has been created > org.apache.directory.ldap.client.api.LdapNetworkConnection@526d0040 > > And when kinit from terminal the principal that has been created above, > results the below error. > AS_REQ (7 etypes {18 17 16 23 1 3 2}) ::1: LOOKING_UP_CLIENT: > [email protected] for krbtgt/[email protected], unable to decode > stored principal key data (ASN.1 identifier doesn't match expected value) > > Thanks > Kamalakar > -- Kiran Ayyagari
