Salut all,
I'm trying to configure ApacheDS as a Kerberos server and used the
article under
http://cwiki.apache.org/DIRxINTEROP/kerberos-authentication-to-openldap-using-apacheds.html
as a reference.
I started with the "example.com" example and modified it later to my
needs. When I start ApacheDS with my modifications (only the domain and
user DN changed) no users can be found when I try to connect with:
kinit -k ldap/[EMAIL PROTECTED]
I am pretty sure that my LDAP configuration is OK. What I don't
understand is the content of the log file (see below). Obviously
something tries to search users under "ou=users,dc=example,dc=com" and I
am not sure if this is a mistake caused by the client or a wrong
ApacheDS configuration (my basedn is "dc=nviasms,dc=eu").
I already tried to delete ApacheDS's output directory and did a restart,
but I have still the same effect. And I created of course a new kerberos
keytab file after modifying the server.xml configuration, but somehow
the "example.com" configuration still exists.
Is there some sort of cache that I'm not seeing? Does anyone know if
this is caused by a wrong configuration on the server or the client side?
Thanks in advance for your help.
Cheers,
Aleks
[20:38:20] DEBUG
[org.apache.directory.server.kerberos.kdc.MonitorRequest] - Received
Authentication Service (AS) request:
messageType: initial authentication request (10)
protocolVersionNumber: 5
clientAddress: 127.0.1.1
nonce: 1200339500
kdcOptions: RENEWABLE_OK
clientPrincipal: ldap/[EMAIL PROTECTED]
serverPrincipal: krbtgt/[EMAIL PROTECTED]
encryptionType: aes256-cts-hmac-sha1-96 (18),
aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), rc4-hmac (23),
des-cbc-crc (1), des-cbc-md5 (3), des-cbc-md4 (2)
realm: NVIASMS.EU
from time: 20080114193820Z
till time: 20080115193820Z
renew-till time: null
hostAddresses: null
[20:38:20] DEBUG
[org.apache.directory.server.kerberos.kdc.SelectEncryptionType] -
Session will use encryption type des-cbc-md5 (3).
[20:38:20] DEBUG
[org.apache.directory.server.core.authn.AuthenticationService] - Bind
operation. bindDn: uid=admin,ou=system
[20:38:20] DEBUG
[org.apache.directory.server.core.authn.AuthenticationService] - bind:
principal: null
[20:38:20] DEBUG
[org.apache.directory.server.core.authn.SimpleAuthenticator] -
Authenticating 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
[20:38:20] DEBUG
[org.apache.directory.server.core.authn.SimpleAuthenticator] -
0.9.2342.19200300.100.1.1=admin,2.5.4.11=system Authenticated
[20:38:20] DEBUG
[org.apache.directory.server.core.authn.AuthenticationService] - Testing
if entry name = 'ou=users,dc=example,dc=com' exists
[20:38:20] DEBUG
[org.apache.directory.server.core.partition.DefaultPartitionNexus] -
Check if DN
'2.5.4.11=users,0.9.2342.19200300.100.1.25=example,0.9.2342.19200300.100.1.25=com'
exists.
[20:38:20] WARN
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Client not found in Kerberos database (6)
org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
Client not found in Kerberos database
at
org.apache.directory.server.kerberos.shared.service.GetPrincipalStoreEntry.getEntry(GetPrincipalStoreEntry.java:62)
at
org.apache.directory.server.kerberos.kdc.authentication.GetClientEntry.execute(GetClientEntry.java:44)
at
org.apache.mina.handler.chain.IoHandlerChain.callNextCommand(IoHandlerChain.java:201)
at
org.apache.mina.handler.chain.IoHandlerChain.access$500(IoHandlerChain.java:36)
at
org.apache.mina.handler.chain.IoHandlerChain$Entry$1.execute(IoHandlerChain.java:317)
at
org.apache.directory.server.kerberos.kdc.SelectEncryptionType.execute(SelectEncryptionType.java:62)
at
org.apache.mina.handler.chain.IoHandlerChain.callNextCommand(IoHandlerChain.java:201)
at
org.apache.mina.handler.chain.IoHandlerChain.access$500(IoHandlerChain.java:36)
at
org.apache.mina.handler.chain.IoHandlerChain$Entry$1.execute(IoHandlerChain.java:317)
at
org.apache.directory.server.kerberos.kdc.authentication.ConfigureAuthenticationChain.execute(ConfigureAuthenticationChain.java:56)
at
org.apache.mina.handler.chain.IoHandlerChain.callNextCommand(IoHandlerChain.java:201)
at
org.apache.mina.handler.chain.IoHandlerChain.access$500(IoHandlerChain.java:36)
at
org.apache.mina.handler.chain.IoHandlerChain$Entry$1.execute(IoHandlerChain.java:317)
at
org.apache.directory.server.kerberos.kdc.MonitorRequest.execute(MonitorRequest.java:93)
at
org.apache.mina.handler.chain.IoHandlerChain.callNextCommand(IoHandlerChain.java:201)
at
org.apache.mina.handler.chain.IoHandlerChain.access$500(IoHandlerChain.java:36)
at
org.apache.mina.handler.chain.IoHandlerChain$Entry$1.execute(IoHandlerChain.java:317)
at
org.apache.mina.handler.chain.IoHandlerChain$1.execute(IoHandlerChain.java:63)
at
org.apache.mina.handler.chain.IoHandlerChain.callNextCommand(IoHandlerChain.java:201)
at
org.apache.mina.handler.chain.IoHandlerChain.execute(IoHandlerChain.java:193)
at
org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:162)
at
org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived(AbstractIoFilterChain.java:570)
at
org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
at
org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
at
org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
at
org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:220)
at
org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:264)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:650)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)
at java.lang.Thread.run(Thread.java:595)
Caused by:
org.apache.directory.server.protocol.shared.ServiceConfigurationException:
Failed to get initial context ou=users,dc=example,dc=com
at
org.apache.directory.server.kerberos.shared.store.SingleBaseSearch.execute(SingleBaseSearch.java:109)
at
org.apache.directory.server.kerberos.shared.store.SingleBaseSearch.getPrincipal(SingleBaseSearch.java:88)
at
org.apache.directory.server.kerberos.shared.store.JndiPrincipalStoreImpl.getPrincipal(JndiPrincipalStoreImpl.java:84)
at
org.apache.directory.server.kerberos.shared.service.GetPrincipalStoreEntry.getEntry(GetPrincipalStoreEntry.java:58)
... 29 more
Caused by:
org.apache.directory.shared.ldap.exception.LdapNameNotFoundException:
ou=users,dc=example,dc=com
at
org.apache.directory.server.core.partition.DefaultPartitionNexus.getPartition(DefaultPartitionNexus.java:1114)
at
org.apache.directory.server.core.partition.DefaultPartitionNexus.hasEntry(DefaultPartitionNexus.java:1035)
at
org.apache.directory.server.core.interceptor.InterceptorChain$1.hasEntry(InterceptorChain.java:165)
at
org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.hasEntry(InterceptorChain.java:1310)
at
org.apache.directory.server.core.interceptor.BaseInterceptor.hasEntry(BaseInterceptor.java:148)
at
org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.hasEntry(InterceptorChain.java:1310)
at
org.apache.directory.server.core.interceptor.BaseInterceptor.hasEntry(BaseInterceptor.java:148)
at
org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.hasEntry(InterceptorChain.java:1310)
at
org.apache.directory.server.core.interceptor.BaseInterceptor.hasEntry(BaseInterceptor.java:148)
at
org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.hasEntry(InterceptorChain.java:1310)
at
org.apache.directory.server.core.exception.ExceptionService.assertHasEntry(ExceptionService.java:565)
at
org.apache.directory.server.core.exception.ExceptionService.lookup(ExceptionService.java:291)
at
org.apache.directory.server.core.interceptor.InterceptorChain.lookup(InterceptorChain.java:902)
at
org.apache.directory.server.core.partition.PartitionNexusProxy.lookup(PartitionNexusProxy.java:546)
at
org.apache.directory.server.core.authz.AuthorizationService.hasEntry(AuthorizationService.java:619)
at
org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.hasEntry(InterceptorChain.java:1310)
at
org.apache.directory.server.core.interceptor.BaseInterceptor.hasEntry(BaseInterceptor.java:148)
at
org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.hasEntry(InterceptorChain.java:1310)
at
org.apache.directory.server.core.authn.AuthenticationService.hasEntry(AuthenticationService.java:327)
at
org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.hasEntry(InterceptorChain.java:1310)
at
org.apache.directory.server.core.normalization.NormalizationService.hasEntry(NormalizationService.java:356)
at
org.apache.directory.server.core.interceptor.InterceptorChain.hasEntry(InterceptorChain.java:924)
at
org.apache.directory.server.core.partition.PartitionNexusProxy.hasEntry(PartitionNexusProxy.java:568)
at
org.apache.directory.server.core.partition.PartitionNexusProxy.hasEntry(PartitionNexusProxy.java:556)
at
org.apache.directory.server.core.jndi.ServerContext.<init>(ServerContext.java:163)
at
org.apache.directory.server.core.jndi.ServerDirContext.<init>(ServerDirContext.java:88)
at
org.apache.directory.server.core.jndi.ServerLdapContext.<init>(ServerLdapContext.java:63)
at
org.apache.directory.server.core.DefaultDirectoryService.getJndiContext(DefaultDirectoryService.java:195)
at
org.apache.directory.server.core.jndi.AbstractContextFactory.getInitialContext(AbstractContextFactory.java:147)
at
org.apache.directory.server.kerberos.shared.store.SingleBaseSearch.execute(SingleBaseSearch.java:104)
... 32 more
[20:38:20] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Responding to request with error:
explanatory text: Client not found in Kerberos database
error code: 6
clientPrincipal: null
client time: 20080114193820Z
serverPrincipal: krbtgt/[EMAIL PROTECTED]
server time: null
[20:38:20] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- /127.0.1.1:32907 SENT:
[EMAIL PROTECTED]
[20:38:20] DEBUG [org.apache.mina.filter.executor.ExecutorFilter] -
Exiting since queue is empty for /127.0.1.1:32907
[
