Greetings,
I could use some help with getting tomcat to use Kerberos against Active
Directory.
I have been using Ethereal to sniff the packets going back and forth
from tomcat and I verified that with a normal server.xml entry (remove
the authentication attribute keyword from below), it uses 'simple'
authentication (clear text passwords).
Now the above works just fine but now I'm trying to take it to next
level and I found (jdk-1_5_0-doc.zip\docs\guide\jndi\jndi-ldap.html)
specifies that there are the following values:
- EXTERNAL (RFC 2222). This mechanism obtains authentication information
from an external source (such as SSL/TLS or IPsec).
- DIGEST-MD5 (RFC 2831) is for Digest Authentication.
- GSSAPI (RFC 2222) is for Kerberos V5 authentication.
------
I wish to use GSSAPI to talk with Active Directory so I setup my
server.xml with the following :
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="4"
authentication="GSSAPI"
connectionName="CN=Klotz\, Dennis,OU=myou,DC=company,DC=com"
connectionPassword="myPassword"
connectionURL="ldap://10.16.0.xx:389";
alternateURL="ldap://10.16.0.xx:389";
userBase="OU= myou,DC=company,DC=com"
userSearch="(sAMAccountName={0})"
userSubtree="true"
userRoleName="memberOf"
/>
And now I get a different type of error from Catalina.out:
Oct 28, 2005 2:28:47 PM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
GSSException: No valid credentials provided (Mechanism level: Failed to
find any Kerberos Ticket)
at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential
.java:133)
.....
At least the GSSAPI is being recognized! Yes !!
------
My next step was talking with IT; they suggested a c:\winnt\krb5.ini
with the following:
[libdefaults]
default_realm = COMPANY.COM
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
[realms]
COMPANY.COM = {
kdc = addy.mycompany.com:88
admin_server = addy. mycompany.com:88
kpasswd_server = addy. mycompany.com:464
default_domain = COMPANY.COM
}
And that I then execute:
$ kinit DKlotz
Password for [EMAIL PROTECTED]:mypassword
New ticket is stored in cache file C:\Documents and
Settings\DKlotz\krb5cc_dklotz
------
But as you can see from the tomcat error log that something is still
missing. Do I need to move the cache file or do other commands so that
the code within ldap.jar can use it?
At this time tomcat never tries connecting to the LDAP server as it
can't get out of the starting gate. I've got something wrong / missing
from the Kerberos setup.
Any help is greatly appreciated!!
-Dennis Klotz
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
