Salut Emmanuel,
sorry to bother you again... but the change didn't help. There are two
things that I don't understand in the log files...
First I see this:
[log]
[12:11:13] DEBUG
[org.apache.directory.server.kerberos.kdc.MonitorRequest] - Received
Authentication Service (AS) request:
messageType: initial authentication request (10)
protocolVersionNumber: 5
clientAddress: 127.0.1.1
nonce: 1200395473
kdcOptions: RENEWABLE_OK
clientPrincipal: ldap/[EMAIL PROTECTED]
serverPrincipal: krbtgt/[EMAIL PROTECTED]
encryptionType: aes256-cts-hmac-sha1-96 (18),
aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), rc4-hmac (23),
des-cbc-crc (1), des-cbc-md5 (3), des-cbc-md4 (2)
realm: NVIASMS.EU
from time: 20080115111113Z
till time: 20080116111113Z
renew-till time: null
hostAddresses: null
[12:11:13] DEBUG
[org.apache.directory.server.kerberos.kdc.SelectEncryptionType] -
Session will use encryption type des-cbc-md5 (3).
[12:11:13] DEBUG
[org.apache.directory.server.core.authn.AuthenticationService] - Bind
operation. bindDn: uid=admin,ou=system
[12:11:13] DEBUG
[org.apache.directory.server.core.authn.AuthenticationService] - bind:
principal: null
[12:11:13] DEBUG
[org.apache.directory.server.core.authn.SimpleAuthenticator] -
Authenticating 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
[12:11:13] DEBUG
[org.apache.directory.server.core.authn.SimpleAuthenticator] -
0.9.2342.19200300.100.1.1=admin,2.5.4.11=system Authenticated
[12:11:13] DEBUG
[org.apache.directory.server.core.authn.AuthenticationService] - Testing
if entry name = 'ou=users,dc=example,dc=com' exists
[12:11:13] DEBUG
[org.apache.directory.server.core.partition.DefaultPartitionNexus] -
Check if DN
'2.5.4.11=users,0.9.2342.19200300.100.1.25=example,0.9.2342.19200300.100.1.25=com'
exists.
[12:11:13] WARN
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Client not found in Kerberos database (6)
org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
Client not found in Kerberos database
at
org.apache.directory.server.kerberos.shared.service.GetPrincipalStoreEntry.getEntry(GetPrincipalStoreEntry.java:62)
at
...
[/log]
As I understand it this means that the client is sending the right
information and something is badly configured on the ApacheDS side. Right?
And then a little bit further I see this:
[log]
at
org.apache.directory.server.kerberos.shared.store.SingleBaseSearch.execute(SingleBaseSearch.java:104)
... 32 more
[12:11:13] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Responding to request with error:
explanatory text: Client not found in Kerberos database
error code: 6
clientPrincipal: null
client time: 20080115111113Z
serverPrincipal: krbtgt/[EMAIL PROTECTED]
server time: null
[/log]
This is something that I wouldn't expect here; I did a new ApacheDS
installation and this entry doesn't exist in my LDIF that I am
importing. Is this log entry caused by the kerberos client?
My Keytab shows following entries:
[console]
ktutil: rkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 1 ldap/[EMAIL PROTECTED]
[/console]
Is there some sort of cache that I am not aware of?
Thanks for your help.
Cheers,
Aleks
Emmanuel Lecharny wrote:
> Aleksandar Vidakovic wrote:
>> I am pretty sure that my LDAP configuration is OK. What I don't
>> understand is the content of the log file (see below). Obviously
>> something tries to search users under "ou=users,dc=example,dc=com" and I
>> am not sure if this is a mistake caused by the client or a wrong
>> ApacheDS configuration (my basedn is "dc=nviasms,dc=eu").
>>
> Change this line in the server.xml file :
>
> <property name="searchBaseDn" value="ou=users,ou=system" />
>
> to :
>
> <property name="searchBaseDn" value="dc=nviasms,dc=eu" />
>
> assuming you have created a partion with this name to store the users.
>
> (The searchBaseDn contains the place where the server will look for users)
