5

I am tasked with setting up an ApacheDS 2.0.0 LDAP + Kerberos (including KDC) server for use in our testing environment. I followed this guide, but am unable to successfully authenticate with my LDAP server using Kerberos as per the final step on that page.

I am using Apache Directory Studio

When I have "Require Pre-Authentication By Encrypted TimeStamp" checked, I get the error: javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31)

When I uncheck that field and restart the server, I get: javax.security.auth.login.LoginException: Checksum Failed

I am sure the username and password I am supplying is correct. What could be the problem? Has anyone successfully set up ApacheDS 2.0.0 with Kerberos? Is there a guide I should be following somewhere?

It seems the folks over at ApacheDS have yet to document configuration of their Kerberos server.

Here is my users.ldif:

version: 1
dn: uid=krbtgt,ou=services,dc=security,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
objectClass: krb5KDCEntry
objectClass: uidObject
objectClass: krb5Principal
krb5KeyVersionNumber: 0
krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
ou: LDAP
uid: krbtgt
krb5Key:: MCGgAwIBEKEaBBjHVICYy3C2UuxkitpXRnZ8PVj4TGgN3xA=
krb5Key:: MBmgAwIBF6ESBBCpxZ7JnL7bycwis7pjrB+1
krb5Key:: MBmgAwIBEaESBBCv2PO7KtoerG8VJaCjGPQD
krb5Key:: MBGgAwIBA6EKBAiXyA7xg0OSzQ==
userPassword:: e1NTSEF9WWVWeFJ5cXBJVVQrT1Mva3l6ZForSU5IajBKT1RXdGNBaWdLR0E9P
 Q==

dn: ou=services,dc=security,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: services

dn: uid=jsmith,ou=users,dc=security,dc=example,dc=com
objectClass: top
objectClass: krb5KDCEntry
objectClass: inetOrgPerson
objectClass: krb5Principal
objectClass: person
objectClass: organizationalPerson
cn: John Smith
krb5KeyVersionNumber: 1
krb5PrincipalName: jsmith@EXAMPLE.COM
sn: Smith
krb5Key:: MCGgAwIBEKEaBBh/3/6FzQdeRS+/Sssvg7Xyrr96B3lewT4=
krb5Key:: MBmgAwIBF6ESBBCynaCNjbAxJwdWfXMcALRn
krb5Key:: MBmgAwIBEaESBBBMzkq2olx6fnakVd8zcle3
krb5Key:: MBGgAwIBA6EKBAhdv8v9esiwbQ==
uid: jsmith
userPassword:: e2NyeXB0fXJWOFlyaTlTR2tsYWs=

dn: ou=users,dc=security,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: users

dn: uid=ldap,ou=services,dc=security,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
objectClass: krb5KDCEntry
objectClass: uidObject
objectClass: krb5Principal
krb5KeyVersionNumber: 0
krb5PrincipalName: ldap/example.net@EXAMPLE.COM
ou: TGT
uid: ldap
krb5Key:: MCGgAwIBEKEaBBioosfqqw3pVAsaLNC12rws8vICSX9kouk=
krb5Key:: MBmgAwIBF6ESBBCXJFfXz9ORAGaUrSCHGzoN
krb5Key:: MBmgAwIBEaESBBA+pN1ipA5mPjNSLYBbuKgy
krb5Key:: MCmgAwIBEqEiBCBCxVPVFGb6miec+4ztUuMilATQNemHh+gxT+KmsqN1RQ==
krb5Key:: MBGgAwIBA6EKBAhMCxySpE8O9w==
userPassword:: e1NTSEF9YUZEazF6bnZyZFVscVFhbEpxc3dIUDBpRlJ4QysyZkUxK2RaZUE9P
 Q==

dn: dc=security,dc=example,dc=com
objectClass: top
objectClass: domain
dc: security

dn: dc=example,dc=com
objectclass: top
objectclass: domain
dc: example
Reid-o
  • 51
  • 1
  • 5
  • I am using ApacheDS 2.0.0 on Windows 7. – Reid-o Apr 21 '14 at 19:10
  • Please note: SO wouldn't allow me to post my config.ldif because it would make the post more than 30k chars. – Reid-o Apr 21 '14 at 19:30
  • As far as a server config.ldif, it is the default config for an ApacheDS 2.0.0 server, but with Kerberos enabled and the correct search DNs specified. I'm just trying to follow the only guide available on the ApacheDS web page. – Reid-o Apr 21 '14 at 23:38
  • I am facing the similar issue.. did you found any solution? – niksvp Apr 30 '14 at 10:01
  • I have not found any guide. About the only thing that gets me even remotely close to success is to check out the code, build it, and debug. Stepping through the code, although tedious, is the best way to understand how the ApacheDS KDC should be configured. I think once I get a KDC up-and-running, I'll write a blog post or even perhaps commit some documentation to the ApacheDS project. – Reid-o May 05 '14 at 19:17
  • I have the same problem, even the below link doesn't provide any UG http://directory.apache.org/apacheds/kerberos-ug/2.2-ldap-server-config.html :( – Dinesh Kumar P Nov 25 '14 at 07:13
  • Hi did you find the solution?? i am having the same problem in windows 8. – Kumar Mar 06 '15 at 05:54
  • I never found a solution. I emailed the folks on the ApacheDS team and also submitted a question on their mailing list, but I haven't heard anything back. – Reid-o Apr 11 '15 at 02:20
  • No update on this? Driving me crazy... – Charles Dec 17 '15 at 09:51

4 Answers4

0

Please provide version details and the server's config.ldif as well.

P.S:- posting these details to ApacheDS user mailing list will help in quick response(s). Cause here I am the only one monitoring SO.

kayyagari
  • 1,882
  • 13
  • 10
  • I have posted my question to the mailing list, though I have not received any response. Is the ApacheDS project still alive? I find it difficult to imagine having any industry buy-in when there aren't any documents to support the core advertised features. – Reid-o May 05 '14 at 19:18
  • I don't think your mailed got through the mailing list gateway, can you send again? – kayyagari May 07 '14 at 05:19
  • Currently there is an issue with the mail delivery server at Apache, that explains why I haven't seen your mail. Expect a reply as soon as we get the mail. – kayyagari May 08 '14 at 16:03
  • I still haven't heard anything back. Is ApacheDS a live project? – Reid-o Apr 11 '15 at 02:21
  • Hi Kayyagari, do you know solution for this issue ?. I am also getting same error. I sent a mail to ApacheDS mail list, but there was no response. can you please help me to fix this issue – siva Jun 20 '16 at 05:23
0

  I have struggled with exactly the same error using Apache 2.0.0-M17 on Windows 7 with Java 1.7.0_60. Finally I managed to overcome this by using a plain text password instead of password hash. I tried different password hashing algorithms but neither of them worked, so finally I gave up and used plain text passwords.

Regards,
  Detelin

Detelin
  • 16
  • 2
0

I have exactly the same problem too, with JDK8 on Windows7 and running the Studio on Eclipse Luna. Apache DS documentation is lacking many pages marked with "TODO" and searches in forums etc have not led to much progress apart from a hint that perhaps it works the way the guide explains but only in Linux environments and not in Windows? If you have any futher news regarding this please post it here.

Vangelis B.
  • 21
  • 3
0

It seemed the problem was caused by password setting for the user. When setting password please use "Plain Text" rather than other hash algorithms. And password hash interceptor will SSHA hash it by default.

If this couldn't resolve your problem please let me know.

Jared
  • 822
  • 1
  • 10
  • 18