Need Help on kinit authentication.

Predrag Zecevic [Unix Systems Administrator] predrag.zecevic at 2e-systems.com
Thu Mar 15 03:07:41 EDT 2012


Hi,

if you have enabled password policy you might try to send krb 
key/password in clear text (using secure port of course).

We had such problem with 389-DS and PHP application. Solution was:
a) make LDAP listen only secure port
b) application sends clear text password over secure connection

Regards.

On 14.03.2012 18:48, Rajeswari Ramasamy wrote:
> Hi,
>
> Thanks for the quick reply.
>
> There is no issue with command line interface. But i am trying to add into openLdap using java code without using any of the KDC commands.
>
> Thanks
> Rajeswari
>
> On Mar 14, 2012, at 9:19 PM, Predrag Zecevic [Unix Systems Administrator] wrote:
>
>> Hi,
>>
>> what is wrong with command line interface?
>>
>> kadmin -p root/admin \
>> -q "change_password -pw $newPassword testuser at EXAMPLE.COM"
>>
>> P.S. we are using Keberos 5 1.9 and 389-DS as backend and that works.
>>
>> Regards.
>>
>> On 14.03.2012 11:46, Rajeswari Ramasamy wrote:
>>>
>>> Hi,
>>>
>>>
>>> I am using krb5-1.10.1 with OpenLDAP in the backend. I am able to add principals using addprinc and authenticate using kinit.
>>> But if i use Apache DS API's to create a principal in OpenLDAP and authenticate using knit the following error occurs.
>>>
>>> krb5kdc[32478](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) ::1: LOOKING_UP_CLIENT: testuser at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM,
>>> unable to decode stored principal key data (ASN.1 identifier doesn't match expected value)
>>>
>>> To do kinit authentication in kerberos, How to encode the krbPrincipalKey before writing into OpenLDAP using ApacheDS API? Could anyone help on this issue.
>>>
>>>
>>> The krb5.conf has the following entry for encryption.
>>>
>>> [libdefaults]
>>>         ticket_lifetime = 600
>>>         default_realm = EXAMPLE.COM
>>>         default_tgs_enctypes = des3-hmac-sha1 des-cbc-md5
>>>         dafault_tkt_enctypes = des3-hamc-sha1 des-cbc-md5
>>>         allow_weak_crypto = true
>>>
>>>
>>>
>>> Thanks
>>> Rajeswari
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>> --
>> Predrag Zečević, Technical Support Analyst, 2e Systems GmbH
>>
>> Telephone: +49 6196 9505 815, Facsimile: +49 6196 9505 894
>> Mobile:    +49  174 3109 288,     Skype: predrag.zecevic
>> E-mail:    predrag.zecevic at 2e-systems.com
>>
>> Headquarter:          2e Systems GmbH, Königsteiner Str. 87,
>>                       65812 Bad Soden am Taunus, Germany
>> Company registration: Amtsgericht Königstein (Germany), HRB 7303
>> Managing director:    Phil Douglas
>>
>> http://www.2e-systems.com/ - Making your business fly!
>>
>> [***]===---
>> Rarely do people communicate; they just take turns talking.
>>
>

-- 
Predrag Zečević, Technical Support Analyst, 2e Systems GmbH

Telephone: +49 6196 9505 815, Facsimile: +49 6196 9505 894
Mobile:    +49  174 3109 288,     Skype: predrag.zecevic
E-mail:    predrag.zecevic at 2e-systems.com

Headquarter:          2e Systems GmbH, Königsteiner Str. 87,
                       65812 Bad Soden am Taunus, Germany
Company registration: Amtsgericht Königstein (Germany), HRB 7303
Managing director:    Phil Douglas

http://www.2e-systems.com/ - Making your business fly!

[***]===---
So far we've managed to avoid turning Perl into APL. :-) -- Larry Wall 
in <199702251904.LAA28261 at wall.org>


More information about the Kerberos mailing list