Hello,
I'm trying to set up ApacheDS 1.5.7 on Linux with Kerberos authentication.
I basically followed this tutorial to the letter:
http://directory.apache.org/apacheds/1.5/543-kerberos-in-apacheds-155.html
However, I am using a custom realm and hostname, instead of the
localhost and EXAMPLE.COM used in the tutorial.
(Incidentally, I had to add "primaryRealm" and "kdcPrincipal" attributes
to the kdcServer attribute in server.xml to get my custom realm to work
correctly.)
I have 3 users: kerbuser, krbtgt and ldap. See attached LDIF file for
details.
All users have their krb5Key automatically generated by the
KeyDerivationInterceptor.
Authenticating with kinit works fine for all 3 users:
kinit kerbuser
kinit krbtgt/INFOSCIENCE.CO.JP
kinit ldap/logst20.dev.infoscience.co.jp
all work as expected, run either locally or remotely.
However, when I try to login to ApacheDS using Directory Studio, I get
"javax.naming.CommunicationException: Request: 1 cancelled".
Looking at the Kerberos log server-side (see attached file), I find the
message "Failed to find any Kerberos Key". It looks like it cannot find
the Kerberos key for the "ldap" user. This is strange, because this user
has its krb5Key attribute set correctly, just like the other users. Do I
need to copy this key to somewhere else, e.g. a keytab file?
I've spent days battling with this problem and I'm out of ideas. Can
anybody shed some light on this?
Thanks,
Chris Birchall.
dn: o=infoscience
objectClass: organization
objectClass: top
o: infoscience
description: The context entry for suffix o=infoscience
dn: uid=kerbuser,o=infoscience
objectClass: inetOrgPerson
objectClass: krb5KDCEntry
objectClass: krb5Principal
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Dave Kerb
krb5KeyVersionNumber: 0
krb5PrincipalName: [email protected]
sn: Kerb
krb5Key:: MBGgAwIBA6EKBAj7p3NwTOpoEA==
krb5Key:: MBmgAwIBEaESBBAFZrTw8gEvh36pYK6bR+lG
krb5Key:: MBmgAwIBF6ESBBBILjempXz5LyRtS7BqTYfX
krb5Key:: MCGgAwIBEKEaBBjBrrW/CBUsvzGo980jlCnlXr/Qwtn3XUo=
uid: kerbuser
userPassword:: a2VyYnNlY3JldA==
# Password is "kerbsecret"
dn: uid=krbtgt,o=infoscience
objectClass: inetOrgPerson
objectClass: krb5KDCEntry
objectClass: krb5Principal
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: KDC Service
krb5KeyVersionNumber: 0
krb5PrincipalName: krbtgt/[email protected]
sn: Service
krb5Key:: MBGgAwIBA6EKBAgZ1YNtB2QcrQ==
krb5Key:: MBmgAwIBEaESBBCcDTJsjvF+qgka/+WShPtO
krb5Key:: MBmgAwIBF6ESBBCHjYAUYGzaKWd6RO+hNT/H
krb5Key:: MCGgAwIBEKEaBBjs4PHOKrrZc20LzeZ/Jea5cCmYUSz0/kM=
uid: krbtgt
userPassword:: c2VjcmV0
# Password is "secret"
dn: uid=ldap,o=infoscience
objectClass: inetOrgPerson
objectClass: krb5KDCEntry
objectClass: krb5Principal
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: LDAP
krb5KeyVersionNumber: 0
krb5PrincipalName: ldap/[email protected]
sn: Service
krb5Key:: MBGgAwIBA6EKBAiPolhGWFdFgw==
krb5Key:: MBmgAwIBEaESBBAGFh2kWnqTlj8N/0jxhCJ6
krb5Key:: MBmgAwIBF6ESBBCHjYAUYGzaKWd6RO+hNT/H
krb5Key:: MCGgAwIBEKEaBBjj/hYNfKs4cPfmN8HITAvQPmTgILN6zVg=
uid: ldap
userPassword:: c2VjcmV0
# Password is "secret"
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/172.28.2.33:3388 CREATED: datagram
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/172.28.2.33:3388 OPENED
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/172.28.2.33:3388 RCVD:
org.apache.directory.server.kerberos.shared.messages.KdcRequest@4fb595f3
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Received Authentication Service (AS) request:
messageType: AS_REQ
protocolVersionNumber: 5
clientAddress: 172.28.2.33
nonce: 880787125
kdcOptions:
clientPrincipal: [email protected]
serverPrincipal: krbtgt/[email protected]
encryptionType: des-cbc-md5 (3), aes128-cts-hmac-sha1-96 (17),
des-cbc-crc (1), rc4-hmac (23), des3-cbc-sha1-kd (16)
realm: INFOSCIENCE.CO.JP
from time: null
till time: 19700101000000Z
renew-till time: null
hostAddresses: null
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Session will use encryption type des-cbc-md5 (3).
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] -
Found entry ServerEntry
dn[n]: uid=kerbuser,o=infoscience
objectClass: organizationalPerson
objectClass: person
objectClass: krb5Principal
objectClass: krb5KDCEntry
objectClass: inetOrgPerson
objectClass: top
uid: kerbuser
sn: Kerb
krb5PrincipalName: [email protected]
userPassword: '0x6B 0x65 0x72 0x62 0x73 0x65 0x63 0x72 0x65 0x74 '
krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xFB 0xA7
0x73 0x70 0x4C ...'
krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0xC1 0xAE
0xB5 0xBF 0x08 ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0x05 0x66
0xB4 0xF0 0xF2 ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x48 0x2E
0x37 0xA6 0xA5 ...'
krb5KeyVersionNumber: 0
cn: Dave Kerb
for kerberos principal name [email protected]
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Verifying using SAM subsystem.
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Verifying using encrypted timestamp.
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Entry for client principal [email protected] has no SAM type.
Proceeding with standard pre-authentication.
[13:22:39] WARN
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
Additional pre-authentication required (25)
org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
Additional pre-authentication required
at
org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.verifyEncryptedTimestamp(AuthenticationService.java:269)
at
org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.execute(AuthenticationService.java:107)
at
org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:145)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:713)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:793)
at
org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:375)
at
org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:229)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:793)
at
org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426)
at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.readHandle(AbstractPollingConnectionlessIoAcceptor.java:436)
at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.processReadySessions(AbstractPollingConnectionlessIoAcceptor.java:407)
at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.access$600(AbstractPollingConnectionlessIoAcceptor.java:56)
at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor$Acceptor.run(AbstractPollingConnectionlessIoAcceptor.java:360)
at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
Responding to request with error:
explanatory text: Additional pre-authentication required
error code: 25
clientPrincipal: null
client time: null
serverPrincipal: krbtgt/[email protected]
server time: 20110602042239Z
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/172.28.2.33:3388 SENT:
org.apache.directory.server.kerberos.shared.messages.ErrorMessage@1a87ad67
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/172.28.2.33:3389 CREATED: datagram
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/172.28.2.33:3389 OPENED
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/172.28.2.33:3389 RCVD:
org.apache.directory.server.kerberos.shared.messages.KdcRequest@418952cc
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Received Authentication Service (AS) request:
messageType: AS_REQ
protocolVersionNumber: 5
clientAddress: 172.28.2.33
nonce: 273514211
kdcOptions:
clientPrincipal: [email protected]
serverPrincipal: krbtgt/[email protected]
encryptionType: des-cbc-md5 (3), aes128-cts-hmac-sha1-96 (17),
des-cbc-crc (1), rc4-hmac (23), des3-cbc-sha1-kd (16)
realm: INFOSCIENCE.CO.JP
from time: null
till time: 19700101000000Z
renew-till time: null
hostAddresses: null
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Session will use encryption type des-cbc-md5 (3).
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] -
Found entry ServerEntry
dn[n]: uid=kerbuser,o=infoscience
objectClass: organizationalPerson
objectClass: person
objectClass: krb5Principal
objectClass: krb5KDCEntry
objectClass: inetOrgPerson
objectClass: top
uid: kerbuser
sn: Kerb
krb5PrincipalName: [email protected]
userPassword: '0x6B 0x65 0x72 0x62 0x73 0x65 0x63 0x72 0x65 0x74 '
krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xFB 0xA7
0x73 0x70 0x4C ...'
krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0xC1 0xAE
0xB5 0xBF 0x08 ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0x05 0x66
0xB4 0xF0 0xF2 ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x48 0x2E
0x37 0xA6 0xA5 ...'
krb5KeyVersionNumber: 0
cn: Dave Kerb
for kerberos principal name [email protected]
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Verifying using SAM subsystem.
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Verifying using encrypted timestamp.
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Entry for client principal [email protected] has no SAM type.
Proceeding with standard pre-authentication.
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Pre-authentication by encrypted timestamp successful for
[email protected].
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] -
Found entry ServerEntry
dn[n]: uid=krbtgt,o=infoscience
objectClass: organizationalPerson
objectClass: person
objectClass: krb5Principal
objectClass: krb5KDCEntry
objectClass: inetOrgPerson
objectClass: top
uid: krbtgt
sn: Service
krb5PrincipalName: krbtgt/[email protected]
userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 '
krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0x19 0xD5
0x83 0x6D 0x07 ...'
krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0xEC 0xE0
0xF1 0xCE 0x2A ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0x9C 0x0D
0x32 0x6C 0x8E ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x87 0x8D
0x80 0x14 0x60 ...'
krb5KeyVersionNumber: 0
cn: KDC Service
for kerberos principal name krbtgt/[email protected]
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Ticket will be issued for access to
krbtgt/[email protected].
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Monitoring Authentication Service (AS) context:
clockSkew 300000
clientAddress /172.28.2.33
principal [email protected]
cn null
realm null
principal [email protected]
SAM type null
principal krbtgt/[email protected]
cn null
realm null
principal krbtgt/[email protected]
SAM type null
Request key type des-cbc-md5 (3)
Client key version 0
Server key version 0
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Responding with Authentication Service (AS) reply:
messageType: AS_REP
protocolVersionNumber: 5
nonce: 273514211
clientPrincipal: [email protected]
client realm: INFOSCIENCE.CO.JP
serverPrincipal: krbtgt/[email protected]
server realm: INFOSCIENCE.CO.JP
auth time: 20110602042239Z
start time: null
end time: 20110603042239Z
renew-till time: null
hostAddresses: null
[13:22:39] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/172.28.2.33:3389 SENT:
org.apache.directory.server.kerberos.shared.messages.AuthenticationReply@1de2481b
[13:22:44] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/172.28.2.33:3390 CREATED: datagram
[13:22:44] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/172.28.2.33:3390 OPENED
[13:22:44] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/172.28.2.33:3390 RCVD:
org.apache.directory.server.kerberos.shared.messages.KdcRequest@7563a320
[13:22:44] DEBUG
[org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService] -
Received Ticket-Granting Service (TGS) request:
messageType: TGS_REQ
protocolVersionNumber: 5
clientAddress: 172.28.2.33
nonce: 1988585456
kdcOptions:
clientPrincipal: null
serverPrincipal:
ldap/[email protected]
encryptionType: des-cbc-md5 (3), aes128-cts-hmac-sha1-96 (17),
des-cbc-crc (1), rc4-hmac (23), des3-cbc-sha1-kd (16)
realm: INFOSCIENCE.CO.JP
from time: null
till time: 19700101000000Z
renew-till time: null
hostAddresses: null
[13:22:44] DEBUG
[org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService] -
Session will use encryption type des-cbc-md5 (3).
[13:22:44] DEBUG
[org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] -
Found entry ServerEntry
dn[n]: uid=krbtgt,o=infoscience
objectClass: organizationalPerson
objectClass: person
objectClass: krb5Principal
objectClass: krb5KDCEntry
objectClass: inetOrgPerson
objectClass: top
uid: krbtgt
sn: Service
krb5PrincipalName: krbtgt/[email protected]
userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 '
krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0x19 0xD5
0x83 0x6D 0x07 ...'
krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0xEC 0xE0
0xF1 0xCE 0x2A ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0x9C 0x0D
0x32 0x6C 0x8E ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x87 0x8D
0x80 0x14 0x60 ...'
krb5KeyVersionNumber: 0
cn: KDC Service
for kerberos principal name krbtgt/[email protected]
[13:22:44] DEBUG
[org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService] -
Verifying body checksum type 'RSA_MD5'.
[13:22:44] DEBUG
[org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] -
Found entry ServerEntry
dn[n]: uid=ldap,o=infoscience
objectClass: organizationalPerson
objectClass: person
objectClass: krb5Principal
objectClass: krb5KDCEntry
objectClass: inetOrgPerson
objectClass: top
uid: ldap
sn: Service
krb5PrincipalName: ldap/[email protected]
userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 '
krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0x8F 0xA2
0x58 0x46 0x58 ...'
krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0xE3 0xFE
0x16 0x0D 0x7C ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0x06 0x16
0x1D 0xA4 0x5A ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x87 0x8D
0x80 0x14 0x60 ...'
krb5KeyVersionNumber: 0
cn: LDAP
for kerberos principal name
ldap/[email protected]
[13:22:44] DEBUG
[org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService] -
Monitoring Ticket-Granting Service (TGS) context:
clockSkew 300000
checksumType RSA_MD5
clientAddress /172.28.2.33
clientAddresses null
caddr contains sender false
principal
ldap/[email protected]
cn null
realm null
principal
ldap/[email protected]
SAM type null
principal krbtgt/[email protected]
cn null
realm null
principal krbtgt/[email protected]
SAM type null
Ticket key type des-cbc-md5 (3)
Service key version 0
[13:22:44] DEBUG
[org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService] -
Responding with Ticket-Granting Service (TGS) reply:
messageType: TGS_REP
protocolVersionNumber: 5
nonce: 1988585456
clientPrincipal: [email protected]
client realm: INFOSCIENCE.CO.JP
serverPrincipal:
ldap/[email protected]
server realm: INFOSCIENCE.CO.JP
auth time: 20110602042239Z
start time: 20110602042244Z
end time: 20110603042239Z
renew-till time: null
hostAddresses: null
[13:22:44] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/172.28.2.33:3390 SENT:
org.apache.directory.server.kerberos.shared.messages.TicketGrantReply@67a1f370
[13:22:44] DEBUG
[org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] -
Found entry ServerEntry
dn[n]: uid=ldap,o=infoscience
objectClass: organizationalPerson
objectClass: person
objectClass: krb5Principal
objectClass: krb5KDCEntry
objectClass: inetOrgPerson
objectClass: top
uid: ldap
sn: Service
krb5PrincipalName: ldap/[email protected]
userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 '
krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0x8F 0xA2
0x58 0x46 0x58 ...'
krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0xE3 0xFE
0x16 0x0D 0x7C ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0x06 0x16
0x1D 0xA4 0x5A ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x87 0x8D
0x80 0x14 0x60 ...'
krb5KeyVersionNumber: 0
cn: LDAP
for kerberos principal name
ldap/[email protected]
[13:22:44] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] -
Unexpected exception forcing session to close: sending disconnect notice to
client.
java.security.PrivilegedActionException: javax.security.sasl.SaslException:
Failure to initialize security context [Caused by GSSException: No valid
credentials provided (Mechanism level: Failed to find any Kerberos Key)]
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at
org.apache.directory.server.ldap.handlers.bind.gssapi.GssapiMechanismHandler.handleMechanism(GssapiMechanismHandler.java:76)
at
org.apache.directory.server.ldap.handlers.BindHandler.handleSaslAuth(BindHandler.java:551)
at
org.apache.directory.server.ldap.handlers.BindHandler.handle(BindHandler.java:606)
at
org.apache.directory.server.ldap.handlers.BindHandler.handle(BindHandler.java:62)
at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:194)
at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:58)
at
org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:232)
at
org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:193)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:713)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:793)
at
org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:71)
at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
at
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:480)
at
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:434)
at java.lang.Thread.run(Thread.java:662)
Caused by: javax.security.sasl.SaslException: Failure to initialize security
context [Caused by GSSException: No valid credentials provided (Mechanism
level: Failed to find any Kerberos Key)]
at
com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(GssKrb5Server.java:95)
at
com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:67)
at javax.security.sasl.Sasl.createSaslServer(Sasl.java:491)
at
org.apache.directory.server.ldap.handlers.bind.gssapi.GssapiMechanismHandler$1.run(GssapiMechanismHandler.java:80)
at
org.apache.directory.server.ldap.handlers.bind.gssapi.GssapiMechanismHandler$1.run(GssapiMechanismHandler.java:77)
... 19 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed
to find any Kerberos Key)
at
sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:95)
at
sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:111)
at
sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:384)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:42)
at
sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:139)
at
com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(GssKrb5Server.java:78)
... 23 more
[13:22:44] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] - Null
LdapSession given to cleanUpSession.
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<spring:beans xmlns="http://apacheds.org/config/1.5.7";
xmlns:spring="http://xbean.apache.org/schemas/spring/1.0";
xmlns:s="http://www.springframework.org/schema/beans";>
<defaultDirectoryService id="directoryService" instanceId="default"
replicaId="1"
workingDirectory="infoscience.co.jp"
allowAnonymousAccess="true"
accessControlEnabled="false"
denormalizeOpAttrsEnabled="false"
syncPeriodMillis="15000"
maxPDUSize="2000000">
<systemPartition>
<!-- use the following partitionConfiguration to override defaults for -->
<!-- the system partition -->
<jdbmPartition id="system" cacheSize="100" suffix="ou=system" optimizerEnabled="true" syncOnWrite="true">
<indexedAttributes>
<jdbmIndex attributeId="1.3.6.1.4.1.18060.0.4.1.2.1" cacheSize="100"/>
<jdbmIndex attributeId="1.3.6.1.4.1.18060.0.4.1.2.2" cacheSize="100"/>
<jdbmIndex attributeId="1.3.6.1.4.1.18060.0.4.1.2.3" cacheSize="100"/>
<jdbmIndex attributeId="1.3.6.1.4.1.18060.0.4.1.2.4" cacheSize="100"/>
<jdbmIndex attributeId="1.3.6.1.4.1.18060.0.4.1.2.5" cacheSize="10"/>
<jdbmIndex attributeId="1.3.6.1.4.1.18060.0.4.1.2.6" cacheSize="10"/>
<jdbmIndex attributeId="1.3.6.1.4.1.18060.0.4.1.2.7" cacheSize="10"/>
<jdbmIndex attributeId="ou" cacheSize="100"/>
<jdbmIndex attributeId="uid" cacheSize="100"/>
<jdbmIndex attributeId="objectClass" cacheSize="100"/>
</indexedAttributes>
</jdbmPartition>
</systemPartition>
<partitions>
<jdbmPartition id="infoscience" suffix="o=infoscience" />
</partitions>
<interceptors>
<normalizationInterceptor/>
<authenticationInterceptor/>
<referralInterceptor/>
<aciAuthorizationInterceptor/>
<defaultAuthorizationInterceptor/>
<exceptionInterceptor/>
<operationalAttributeInterceptor/>
<!-- Uncomment to enable the password policy interceptor
<passwordPolicyInterceptor/>
-->
<!-- Uncommented in order to use Kerberos -->
<keyDerivationInterceptor/>
<schemaInterceptor/>
<subentryInterceptor/>
<collectiveAttributeInterceptor/>
<eventInterceptor/>
<triggerInterceptor/>
</interceptors>
</defaultDirectoryService>
<!--
+============================================================+
| Kerberos server configuration |
+============================================================+
-->
<kdcServer id="kdcServer" primaryRealm="INFOSCIENCE.CO.JP" kdcPrincipal="krbtgt/[email protected]" searchBaseDn="o=infoscience">
<transports>
<tcpTransport port="60088" nbThreads="4" backLog="50"/>
<udpTransport port="60088" nbThreads="4" backLog="50"/>
</transports>
<directoryService>#directoryService</directoryService>
</kdcServer>
<!--
+============================================================+
| LDAP Service configuration |
+============================================================+
-->
<ldapServer id="ldapServer"
allowAnonymousAccess="false"
saslHost="logst20.dev.infoscience.co.jp"
saslPrincipal="ldap/[email protected]"
searchBaseDn="o=infoscience"
maxTimeLimit="15000"
maxSizeLimit="1000"
keystoreFile="/var/lib/apacheds-1.5.7/logst20ldap/keystore"
certificatePassword="logst20">
<transports>
<tcpTransport address="0.0.0.0" port="10389" nbThreads="8" backLog="50" enableSSL="false"/>
<tcpTransport address="0.0.0.0" port="10636" enableSSL="true"/>
</transports>
<directoryService>#directoryService</directoryService>
<!-- The list of supported authentication mechanisms. -->
<saslMechanismHandlers>
<simpleMechanismHandler mech-name="SIMPLE"/>
<cramMd5MechanismHandler mech-name="CRAM-MD5" />
<digestMd5MechanismHandler mech-name="DIGEST-MD5" />
<gssapiMechanismHandler mech-name="GSSAPI" />
<ntlmMechanismHandler mech-name="NTLM" ntlmProviderFqcn="com.foo.Bar"/>
<ntlmMechanismHandler mech-name="GSS-SPNEGO" ntlmProviderFqcn="com.foo.Bar"/>
</saslMechanismHandlers>
<!-- The realms serviced by this SASL host, used by DIGEST-MD5 and GSSAPI. -->
<saslRealms>
<s:value>infoscience.co.jp</s:value>
</saslRealms>
<!-- the collection of extended operation handlers to install -->
<extendedOperationHandlers>
<startTlsHandler/>
<gracefulShutdownHandler/>
<launchDiagnosticUiHandler/>
<!-- The Stored Procedure Extended Operation is not stable yet and it may cause security risks.-->
<!--storedProcedureExtendedOperationHandler/-->
</extendedOperationHandlers>
</ldapServer>
<apacheDS id="apacheDS">
<ldapServer>#ldapServer</ldapServer>
</apacheDS>
</spring:beans>
