Re: Apache Directory Studio with Kerberos login
Will do thanks! Will work through the rest. - Original Message - From: Emmanuel LécharnyTo: users@directory.apache.org Sent: Tuesday, January 24, 2017 6:19 PM Subject: Re: Apache Directory Studio with Kerberos login Le 25/01/2017 à 01:13, Lamar Hansford a écrit : > Ok, found this is related to the Server SASL settings in Studio. Is this > expected behavior? Isn't SASL an independent protocol? Two things : - first, the NPE is clarely a bug. We should have detected that the entry was missing, instead of tryingt o access it. Can you fill a JIRA for ths one ? - second, Studio uses SASL when it tries to bind using the kerberos credentials, this is done using GSSAPI, and it's plain normal. -- Emmanuel Lecharny Symas.com directory.apache.org
Re: Apache Directory Studio with Kerberos login
Le 25/01/2017 à 01:13, Lamar Hansford a écrit : > Ok, found this is related to the Server SASL settings in Studio. Is this > expected behavior? Isn't SASL an independent protocol? Two things : - first, the NPE is clarely a bug. We should have detected that the entry was missing, instead of tryingt o access it. Can you fill a JIRA for ths one ? - second, Studio uses SASL when it tries to bind using the kerberos credentials, this is done using GSSAPI, and it's plain normal. -- Emmanuel Lecharny Symas.com directory.apache.org
Re: Apache Directory Studio with Kerberos login
Ok, found this is related to the Server SASL settings in Studio. Is this expected behavior? Isn't SASL an independent protocol? - Original Message - From: Lamar HansfordTo: "users@directory.apache.org" Sent: Tuesday, January 24, 2017 5:58 PM Subject: Apache Directory Studio with Kerberos login My setup: * Ubuntu 16.04 * Oracle JRE with JCE (1.8) * ApacheDS back-end (apacheds-2.0.0-M23) * Apache Directory Studio Version: 2.0.0.v20161101-M12 Using kinit (localhost) Kerberos working with kinit on localhost (using FQDN). * kinit @ With logging enabled I can see authentication against * krb5PrincipalName=@=> OK * krb5PrincipalName=krbtgt/@ => OK Ticket Granted Using Directory Studio (Windows): !! Not working !! >From debug log: Authenticate against * krb5PrincipalName=@=> OK * krb5PrincipalName=ldap/@ => OK * krb5PrincipalName=ldap/@ => OK All good up to this point [17:36:24] DEBUG [org.apache.directory.server.KERBEROS_LOG] - /173.174.45.64:52800 SENT: >--- KdcRep : TGS-REP pvno : 5 msg-type : TGS_REP crealm : MAGRATHEA.COM cname : { name-type: KRB_NT_PRINCIPAL, name-string : <'lhansford'> } Ticket : tkt-vno : 5 realm : MAGRATHEA.COM sname : { name-type: KRB_NT_UNKNOWN, name-string : <'ldap', 'minime'> }etc Here is where it gets strange: [17:36:24] DEBUG [org.apache.directory.server.ldap.handlers.request.BindRequestHandler] - Received: MessageType : BIND_REQUEST Message ID : 1 BindRequest Version : '3' Name : '' Sasl credentials Mechanism :'GSSAPI' Credentials : (omitted-for-safety) [17:36:24] DEBUG [org.apache.directory.server.OPERATION_LOG] - >> SearchOperation : SearchContext for Dn 'ou=users,ou=system', filter :'(krb5PrincipalName=ldap/ldap.example@example.com)' [17:36:24] DEBUG [org.apache.directory.server.core.authn.AuthenticationInterceptor] - Operation Context: SearchContext for Dn 'ou=users,ou=system', filter :'(krb5PrincipalName=ldap/ldap.example@example.com)' Which obviously fails since krb5PrincipalName=ldap/ldap.example@example.com is a placeholder value. Stack trace: java.lang.NullPointerException at org.apache.directory.server.protocol.shared.kerberos.GetPrincipal.getEntry(GetPrincipal.java:93) at org.apache.directory.server.protocol.shared.kerberos.GetPrincipal.execute(GetPrincipal.java:77) at org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler.findPrincipal(GssapiMechanismHandler.java:171) at org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler.getSubject(GssapiMechanismHandler.java:135) at org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler.handleMechanism(GssapiMechanismHandler.java:65) at org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handleSaslAuth(BindRequestHandler.java:587) at org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handle(BindRequestHandler.java:640) at org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handle(BindRequestHandler.java:66) at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:193) at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56) I'm not new to networking or auth schemes but this is my first time with Kerberos. Is this a bug? Why is ther a reference to SASL? (confogured SASL just to see if the EXAMPLE.COM was present and it still is). Thanks! -Lamar
Apache Directory Studio with Kerberos login
My setup: * Ubuntu 16.04 * Oracle JRE with JCE (1.8) * ApacheDS back-end (apacheds-2.0.0-M23) * Apache Directory Studio Version: 2.0.0.v20161101-M12 Using kinit (localhost) Kerberos working with kinit on localhost (using FQDN). * kinit @ With logging enabled I can see authentication against * krb5PrincipalName=@=> OK * krb5PrincipalName=krbtgt/@ => OK Ticket Granted Using Directory Studio (Windows): !! Not working !! >From debug log: Authenticate against * krb5PrincipalName=@=> OK * krb5PrincipalName=ldap/@ => OK * krb5PrincipalName=ldap/@ => OK All good up to this point [17:36:24] DEBUG [org.apache.directory.server.KERBEROS_LOG] - /173.174.45.64:52800 SENT: >--- KdcRep : TGS-REP pvno : 5 msg-type : TGS_REP crealm : MAGRATHEA.COM cname : { name-type: KRB_NT_PRINCIPAL, name-string : <'lhansford'> } Ticket : tkt-vno : 5 realm : MAGRATHEA.COM sname : { name-type: KRB_NT_UNKNOWN, name-string : <'ldap', 'minime'> }etc Here is where it gets strange: [17:36:24] DEBUG [org.apache.directory.server.ldap.handlers.request.BindRequestHandler] - Received: MessageType : BIND_REQUEST Message ID : 1 BindRequest Version : '3' Name : '' Sasl credentials Mechanism :'GSSAPI' Credentials : (omitted-for-safety) [17:36:24] DEBUG [org.apache.directory.server.OPERATION_LOG] - >> SearchOperation : SearchContext for Dn 'ou=users,ou=system', filter :'(krb5PrincipalName=ldap/ldap.example@example.com)' [17:36:24] DEBUG [org.apache.directory.server.core.authn.AuthenticationInterceptor] - Operation Context: SearchContext for Dn 'ou=users,ou=system', filter :'(krb5PrincipalName=ldap/ldap.example@example.com)' Which obviously fails since krb5PrincipalName=ldap/ldap.example@example.com is a placeholder value. Stack trace: java.lang.NullPointerException at org.apache.directory.server.protocol.shared.kerberos.GetPrincipal.getEntry(GetPrincipal.java:93) at org.apache.directory.server.protocol.shared.kerberos.GetPrincipal.execute(GetPrincipal.java:77) at org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler.findPrincipal(GssapiMechanismHandler.java:171) at org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler.getSubject(GssapiMechanismHandler.java:135) at org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler.handleMechanism(GssapiMechanismHandler.java:65) at org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handleSaslAuth(BindRequestHandler.java:587) at org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handle(BindRequestHandler.java:640) at org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handle(BindRequestHandler.java:66) at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:193) at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56) I'm not new to networking or auth schemes but this is my first time with Kerberos. Is this a bug? Why is ther a reference to SASL? (confogured SASL just to see if the EXAMPLE.COM was present and it still is). Thanks! -Lamar