Hi Chris, According to your ldif file you are using hashed passwords. >From my experience ApacheDS Kerberos implementation only works with plain text passwords. But i am not aware about latest improvements. So i may be wrong.
Thanks AmilaJ 2011/6/2 バーチャル クリストファー <[email protected]> > Hello, > > I'm trying to set up ApacheDS 1.5.7 on Linux with Kerberos authentication. > > I basically followed this tutorial to the letter: > > http://directory.apache.org/apacheds/1.5/543-kerberos-in-apacheds-155.html > > However, I am using a custom realm and hostname, instead of the > localhost and EXAMPLE.COM used in the tutorial. > (Incidentally, I had to add "primaryRealm" and "kdcPrincipal" attributes > to the kdcServer attribute in server.xml to get my custom realm to work > correctly.) > > I have 3 users: kerbuser, krbtgt and ldap. See attached LDIF file for > details. > All users have their krb5Key automatically generated by the > KeyDerivationInterceptor. > > Authenticating with kinit works fine for all 3 users: > > kinit kerbuser > kinit krbtgt/INFOSCIENCE.CO.JP > kinit ldap/logst20.dev.infoscience.co.jp > > all work as expected, run either locally or remotely. > > However, when I try to login to ApacheDS using Directory Studio, I get > "javax.naming.CommunicationException: Request: 1 cancelled". > Looking at the Kerberos log server-side (see attached file), I find the > message "Failed to find any Kerberos Key". It looks like it cannot find > the Kerberos key for the "ldap" user. This is strange, because this user > has its krb5Key attribute set correctly, just like the other users. Do I > need to copy this key to somewhere else, e.g. a keytab file? > > I've spent days battling with this problem and I'm out of ideas. Can > anybody shed some light on this? > > Thanks, > > Chris Birchall. > >
