you need to change two things in the config entry ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config :
1. change the value of ads-searchbasedn to ou=users,dc=example,dc=com in the entry 2. change the value of ads-saslprincipal to ldap/[email protected] additionally check the values of ads-krbencryptiontypes in the config entry ads-serverId=kerberosServer,ou=servers,ads-directoryServiceId=default,ou=config restart the server and try again HTH On Sat, Jan 19, 2013 at 3:31 AM, Stephen Stroiazzo < [email protected]> wrote: > Would it be possible to throw together a quick page on properly configuring > Kerberos in the 2.0.0-M9 version of ApacheDS? Currently the default > settings for the LDAP and Kerberos servers are properly laid out in the > configuration pages, however the specific user accounts that they relate to > 'krbtgt/[email protected]' and 'ldap/[email protected]' > no > longer appear. > > If an updated .ldif could be attached somewhere in the new documentation > and include the default accounts and settings necessary to allow Kerberos > authentication through Apache Directory Studio - that would make things > much easier for new users such as myself. > > I have not been having success while trying to alter the older 1.5 versions > of user accounts included in kdc-data.ldif and typically end up at a > "server not found in kerberos database (7)" error. This has come up on both > windows servers as well as ubuntu servers with modified host and krb5.conf > files. Additionally I have also been making sure to enable the > 'keyDerivationInterceptor' as well as the kerberos server itself and > deleting/reimporting the user .ldif file to recreate the krb5 keys when > necessary - although these steps are no longer included with the new 2.0.0 > documentation. > > Below is the .ldif for dc=example,dc=com that I have been basing most of my > testing from, I've tried many small variations with the ldap and krbtgt > principal names however have been unable to find one which works properly. > In addition I have included a larger dump of the error message (as seen > from my windows server, although the ubuntu one appears identical) below > that - just in case. > > Thanks, > Stephen > > dn: dc=example,dc=com > objectClass: dcObject > objectClass: organization > objectClass: top > dc: example > o: example.com > > dn: ou=users,dc=example,dc=com > objectClass: organizationalUnit > objectClass: top > ou: users > > dn: uid=hnelson,ou=users,dc=example,dc=com > objectClass: top > objectClass: person > objectClass: inetOrgPerson > objectClass: krb5principal > objectClass: krb5kdcentry > cn: Horatio Nelson > sn: Nelson > uid: hnelson > userPassword: secret > krb5PrincipalName: [email protected] > krb5KeyVersionNumber: 0 > > dn: uid=krbtgt,ou=users,dc=example,dc=com > objectClass: top > objectClass: person > objectClass: inetOrgPerson > objectClass: krb5principal > objectClass: krb5kdcentry > cn: KDC Service > sn: Service > uid: krbtgt > userPassword: secret > krb5PrincipalName: krbtgt/[email protected] > krb5KeyVersionNumber: 0 > > dn: uid=ldap,ou=users,dc=example,dc=com > objectClass: top > objectClass: person > objectClass: inetOrgPerson > objectClass: krb5principal > objectClass: krb5kdcentry > cn: LDAP > sn: Service > uid: ldap > userPassword: secret > krb5PrincipalName: ldap/[email protected] > krb5KeyVersionNumber: 0 > > ========================================================== > > Error while opening connection > - java.security.PrivilegedActionException: > org.apache.directory.api.ldap.model.exception.LdapException: > javax.security.sasl.SaslException: GSS initiate failed [Caused by > GSSException: No valid credentials provided (Mechanism level: Server not > found in Kerberos database (7) - Server not found in Kerberos database)] > org.apache.directory.api.ldap.model.exception.LdapException: > java.security.PrivilegedActionException: > org.apache.directory.api.ldap.model.exception.LdapException: > javax.security.sasl.SaslException: GSS initiate failed [Caused by > GSSException: No valid credentials provided (Mechanism level: Server not > found in Kerberos database (7) - Server not found in Kerberos database)] > at > > org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1469) > at > > org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1361) > at > > org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:446) > at > > org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1174) > at > > org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:459) > at > > org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:307) > at > > org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114) > at > > org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109) > at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54) > Caused by: java.security.PrivilegedActionException: > org.apache.directory.api.ldap.model.exception.LdapException: > javax.security.sasl.SaslException: GSS initiate failed [Caused by > GSSException: No valid credentials provided (Mechanism level: Server not > found in Kerberos database (7) - Server not found in Kerberos database)] > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Unknown Source) > at > > org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1459) > ... 8 more > Caused by: org.apache.directory.api.ldap.model.exception.LdapException: > javax.security.sasl.SaslException: GSS initiate failed [Caused by > GSSException: No valid credentials provided (Mechanism level: Server not > found in Kerberos database (7) - Server not found in Kerberos database)] > at > > org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3783) > at > > org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:176) > at > > org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1463) > ... 11 more > Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused > by GSSException: No valid credentials provided (Mechanism level: Server not > found in Kerberos database (7) - Server not found in Kerberos database)] > at > com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown > Source) > at > > org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3693) > ... 13 more > Caused by: GSSException: No valid credentials provided (Mechanism level: > Server not found in Kerberos database (7) - Server not found in Kerberos > database) > at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source) > at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) > at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) > ... 15 more > Caused by: KrbException: Server not found in Kerberos database (7) - Server > not found in Kerberos database > at sun.security.krb5.KrbTgsRep.<init>(Unknown Source) > at sun.security.krb5.KrbTgsReq.getReply(Unknown Source) > at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source) > at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown > Source) > at > sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown > Source) > at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source) > ... 18 more > Caused by: KrbException: Identifier doesn't match expected value (906) > at sun.security.krb5.internal.KDCRep.init(Unknown Source) > at sun.security.krb5.internal.TGSRep.init(Unknown Source) > at sun.security.krb5.internal.TGSRep.<init>(Unknown Source) > ... 24 more > > java.security.PrivilegedActionException: > org.apache.directory.api.ldap.model.exception.LdapException: > javax.security.sasl.SaslException: GSS initiate failed [Caused by > GSSException: No valid credentials provided (Mechanism level: Server not > found in Kerberos database (7) - Server not found in Kerberos database)] > > > > > *Stephen Stroiazzo | Special Project Assistant | Information Technology | > AIM > Holding LP > * > -- Kiran Ayyagari http://keydap.com
