date:20170124

Re: Apache Directory Studio with Kerberos login

2017-01-24 Thread Lamar Hansford

Will do thanks!  

Will work through the rest.


- Original Message -
From: Emmanuel Lécharny 
To: users@directory.apache.org
Sent: Tuesday, January 24, 2017 6:19 PM
Subject: Re: Apache Directory Studio with Kerberos login



Le 25/01/2017 à 01:13, Lamar Hansford a écrit :
> Ok, found this is related to  the Server SASL settings in Studio.  Is this 
> expected behavior?  Isn't SASL an independent protocol?

Two things :

- first, the NPE is clarely a bug. We should have detected that the
entry was missing, instead of tryingt o access it. Can you fill a JIRA
for ths one ?
- second, Studio uses SASL when it tries to bind using the kerberos
credentials, this is done using GSSAPI, and it's plain normal.

-- 
Emmanuel Lecharny

Symas.com

directory.apache.org

Re: Apache Directory Studio with Kerberos login

2017-01-24 Thread Emmanuel Lécharny



Le 25/01/2017 à 01:13, Lamar Hansford a écrit :
> Ok, found this is related to  the Server SASL settings in Studio.  Is this 
> expected behavior?  Isn't SASL an independent protocol?

Two things :

- first, the NPE is clarely a bug. We should have detected that the
entry was missing, instead of tryingt o access it. Can you fill a JIRA
for ths one ?
- second, Studio uses SASL when it tries to bind using the kerberos
credentials, this is done using GSSAPI, and it's plain normal.

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: Apache Directory Studio with Kerberos login

2017-01-24 Thread Lamar Hansford

Ok, found this is related to  the Server SASL settings in Studio.  Is this 
expected behavior?  Isn't SASL an independent protocol?





- Original Message -
From: Lamar Hansford 
To: "users@directory.apache.org" 
Sent: Tuesday, January 24, 2017 5:58 PM
Subject: Apache Directory Studio with Kerberos login

My setup:

* Ubuntu 16.04
* Oracle JRE with JCE (1.8)
* ApacheDS back-end (apacheds-2.0.0-M23)
* Apache Directory Studio Version: 2.0.0.v20161101-M12

Using kinit (localhost)
Kerberos working with kinit on localhost (using FQDN).  
* kinit @  

With logging enabled I can see authentication against 
* krb5PrincipalName=@=> OK
* krb5PrincipalName=krbtgt/@   => OK
Ticket Granted

Using Directory Studio (Windows):
!! Not working !!

>From debug log:
Authenticate against 

* krb5PrincipalName=@=> OK 
* krb5PrincipalName=ldap/@   => OK 

* krb5PrincipalName=ldap/@ => OK 


All good up to this point
  [17:36:24] DEBUG [org.apache.directory.server.KERBEROS_LOG] - 
/173.174.45.64:52800 SENT: 
  
>---
 
  KdcRep : TGS-REP 
  pvno : 5 
  msg-type : TGS_REP 
  crealm : MAGRATHEA.COM 
  cname : { name-type: KRB_NT_PRINCIPAL, name-string : <'lhansford'> } 
  Ticket : 
  tkt-vno : 5 
  realm : MAGRATHEA.COM 
  sname : { name-type: KRB_NT_UNKNOWN, name-string : <'ldap', 'minime'> }etc

Here is where it gets strange:
  [17:36:24] DEBUG 
[org.apache.directory.server.ldap.handlers.request.BindRequestHandler] - 
Received: MessageType : BIND_REQUEST 
  Message ID : 1 
  BindRequest 
  Version : '3' 
  Name : '' 
  Sasl credentials 
  Mechanism :'GSSAPI' 
  Credentials : (omitted-for-safety) 
  [17:36:24] DEBUG [org.apache.directory.server.OPERATION_LOG] - >> 
SearchOperation : SearchContext for Dn 'ou=users,ou=system', filter 
:'(krb5PrincipalName=ldap/ldap.example@example.com)' 
  [17:36:24] DEBUG 
[org.apache.directory.server.core.authn.AuthenticationInterceptor] - Operation 
Context: SearchContext for Dn 'ou=users,ou=system', filter 
:'(krb5PrincipalName=ldap/ldap.example@example.com)'

Which obviously fails since krb5PrincipalName=ldap/ldap.example@example.com 
is a placeholder value.  Stack trace:
java.lang.NullPointerException 
  at 
org.apache.directory.server.protocol.shared.kerberos.GetPrincipal.getEntry(GetPrincipal.java:93)
 
  at 
org.apache.directory.server.protocol.shared.kerberos.GetPrincipal.execute(GetPrincipal.java:77)
 
  at 
org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler.findPrincipal(GssapiMechanismHandler.java:171)
 
  at 
org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler.getSubject(GssapiMechanismHandler.java:135)
 
  at 
org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler.handleMechanism(GssapiMechanismHandler.java:65)
 
  at 
org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handleSaslAuth(BindRequestHandler.java:587)
 
  at 
org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handle(BindRequestHandler.java:640)
 
  at 
org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handle(BindRequestHandler.java:66)
 
  at 
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:193)
 
  at 
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)


I'm not new to networking or auth schemes but this is my first time with 
Kerberos.  Is this a bug?  Why is ther a reference to SASL? (confogured SASL 
just to see if the EXAMPLE.COM was present and it still is).

Thanks!
-Lamar

Apache Directory Studio with Kerberos login

2017-01-24 Thread Lamar Hansford

My setup:

* Ubuntu 16.04
* Oracle JRE with JCE (1.8)
* ApacheDS back-end (apacheds-2.0.0-M23)
* Apache Directory Studio Version: 2.0.0.v20161101-M12

Using kinit (localhost)
Kerberos working with kinit on localhost (using FQDN).  
* kinit @  

With logging enabled I can see authentication against 
* krb5PrincipalName=@=> OK
* krb5PrincipalName=krbtgt/@   => OK
Ticket Granted

Using Directory Studio (Windows):
!! Not working !!

>From debug log:
Authenticate against 

* krb5PrincipalName=@=> OK 
* krb5PrincipalName=ldap/@   => OK 

* krb5PrincipalName=ldap/@ => OK 


All good up to this point
  [17:36:24] DEBUG [org.apache.directory.server.KERBEROS_LOG] - 
/173.174.45.64:52800 SENT: 
  
>---
 
  KdcRep : TGS-REP 
  pvno : 5 
  msg-type : TGS_REP 
  crealm : MAGRATHEA.COM 
  cname : { name-type: KRB_NT_PRINCIPAL, name-string : <'lhansford'> } 
  Ticket : 
  tkt-vno : 5 
  realm : MAGRATHEA.COM 
  sname : { name-type: KRB_NT_UNKNOWN, name-string : <'ldap', 'minime'> }etc

Here is where it gets strange:
  [17:36:24] DEBUG 
[org.apache.directory.server.ldap.handlers.request.BindRequestHandler] - 
Received: MessageType : BIND_REQUEST 
  Message ID : 1 
  BindRequest 
  Version : '3' 
  Name : '' 
  Sasl credentials 
  Mechanism :'GSSAPI' 
  Credentials : (omitted-for-safety) 
  [17:36:24] DEBUG [org.apache.directory.server.OPERATION_LOG] - >> 
SearchOperation : SearchContext for Dn 'ou=users,ou=system', filter 
:'(krb5PrincipalName=ldap/ldap.example@example.com)' 
  [17:36:24] DEBUG 
[org.apache.directory.server.core.authn.AuthenticationInterceptor] - Operation 
Context: SearchContext for Dn 'ou=users,ou=system', filter 
:'(krb5PrincipalName=ldap/ldap.example@example.com)'

Which obviously fails since krb5PrincipalName=ldap/ldap.example@example.com 
is a placeholder value.  Stack trace:
java.lang.NullPointerException 
  at 
org.apache.directory.server.protocol.shared.kerberos.GetPrincipal.getEntry(GetPrincipal.java:93)
 
  at 
org.apache.directory.server.protocol.shared.kerberos.GetPrincipal.execute(GetPrincipal.java:77)
 
  at 
org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler.findPrincipal(GssapiMechanismHandler.java:171)
 
  at 
org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler.getSubject(GssapiMechanismHandler.java:135)
 
  at 
org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler.handleMechanism(GssapiMechanismHandler.java:65)
 
  at 
org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handleSaslAuth(BindRequestHandler.java:587)
 
  at 
org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handle(BindRequestHandler.java:640)
 
  at 
org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handle(BindRequestHandler.java:66)
 
  at 
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:193)
 
  at 
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)


I'm not new to networking or auth schemes but this is my first time with 
Kerberos.  Is this a bug?  Why is ther a reference to SASL? (confogured SASL 
just to see if the EXAMPLE.COM was present and it still is).

Thanks!
-Lamar

Re: Apache Directory Studio with Kerberos login

Re: Apache Directory Studio with Kerberos login

Re: Apache Directory Studio with Kerberos login

Apache Directory Studio with Kerberos login

4 matches

Site Navigation

Mail list logo

Footer information