[
https://issues.apache.org/jira/browse/DIRSERVER-2156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15354728#comment-15354728
]
Martin Choma commented on DIRSERVER-2156:
-----------------------------------------
Question is what is the fix now? Is it to make ApacheDS configurable
- useClientAddress - if false ApacheDS don't issue tickets with client address.
Default to current state - true.
- checkAddress - if false ApaceDS don't check address. Default to current
state- true.
> ApacheDS issues TGT kerberos ticket with address on IBM java
> ------------------------------------------------------------
>
> Key: DIRSERVER-2156
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2156
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 2.0.0-M20
> Reporter: Martin Choma
> Attachments: IBMJavaIdentityPropagation.log,
> IBMJavaIdentityPropagation.pcapng, OracleJavaIdentityPropagation.log,
> OracleJavaIdentityPropagation.pcapng
>
>
> ApacheDS issues TGT kerberos ticket with address on IBM java , even if
> noaddresses = true is explicitelly set in krb5.conf.
> Address in ticket causing problem, because ApacheDS check address in ticket
> with address of connection. And that leads to error "error 38 Incorrect net
> address"
> I dont see this issue on IBM java and Active Directory, for instance, so I
> think it is not problem of client code.
> Also note that running ApacheDS with openJDK and oracle java I also don't
> see this.
> Only problematic combination is is ApacheDS vs. IBM java 8
> Tested use case is identity propagation / delegation.
> In attachment you can find relevant log with
> org.apache.directory.server.KERBEROS_LOG set to DEBUG for oracle and ibm
> java.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
