[lsc-users] GSSAPI configuration [solved]

Franck.Rakotonindrainy at fresenius-kabi.com Franck.Rakotonindrainy at fresenius-kabi.com
Mon Jun 22 06:55:19 CEST 2015


Thank you Clément for your answer.

It actually works with GSSAPI! I managed to configure it correctly by 
following the howto described by Francesco Malvezzi in the list 
http://lists.lsc-project.org/pipermail/lsc-users/2013-December/001687.html
I think it would be interesting to add his info to the official 
documentation, GSSAPI is interesting in that you don't need to store your 
admin password in the file.

One point I have noted for GSSAPI is it doesn't seem to understand all the 
content of the krb5.{conf,ini} so the name of the server defined as URL in 
the lsc.xml must match exactly one ticket you have in your list (it 
doesn't seem to handle the aliases : but I am very new to kerberos so I 
might have missed some point)

In my case, I also had to create the soft link (krb5.ini) to 
/etc/krb5.conf in the directory I was working ! (why the hell does it need 
a krb5.ini !? there must be some cli parameter or env variable to tell 
java to use the standard /etc/krb5.conf)

these Java debug toggles helped me a lot:
     -Dsun.security.jgss.debug=true
     -Dsun.security.krb5.debug=true



As Clément indicates,  I can use ldaps also to change passwords in AD. 
But I had to fight a little to understand how to store the AD cert(s) in 
the java trust store 

first I had to convert the DER certificate coming from AD to a PEM 
certificate
    openssl x509 -inform der -in dc.crt -out dc.pem

then store it in the trustcacerts of java
    keytool -import -trustcacerts -keystore 
/usr/lib/jvm/java-7-openjdk-i386/jre/lib/security/cacerts -storepass 
changeit -noprompt -alias DC -file dc.pem


Another point is :
        <URL>  ldaps: .... <
and <tlsactivated>true<
are mutually exclusive: either ldaps alone or tls alone works





From:   Clément OUDOT <clem.oudot at gmail.com>
To:     Franck.Rakotonindrainy at fresenius-kabi.com, 
Cc:     lsc-users <lsc-users at lists.lsc-project.org>
Date:   20/06/2015 22:45
Subject:        Re: [lsc-users] GSSAPI configuration



2015-06-18 12:11 GMT+02:00  <Franck.Rakotonindrainy at fresenius-kabi.com>:
> Hello,
>
> I am trying to migrate accounts from OpenLDAP to AD but it appears that 
our
> AD won't set the user password through a SIMPLE authentication login
> If I use the resulting LDIF with ldapadd and  -Y GSSAPI it works
> So I am wondering how to configure the AD connection in lsc.xml to use
> GSSAPI instead of SIMPLE
>
> First I had a message about gsseg_jaas.conf
> so I created on ... but I don't know what to pu in it
>
> now I have another error message :
>
>
> juin 18 11:50:29 - INFO  - LSC configuration successfully loaded from
> /etc/lsc/openldap2ad/
> javax.security.auth.login.LoginException: Aucun LoginModule configuré 
pour
> org.lsc.jndi.JndiServices
>         at
> javax.security.auth.login.LoginContext.init(LoginContext.java:272)
>         at
> javax.security.auth.login.LoginContext.<init>(LoginContext.java:425)
>         at
> org.lsc.jndi.JndiServices.getLdapProperties(JndiServices.java:358)
>         at org.lsc.jndi.JndiServices.getInstance(JndiServices.java:465)
>         at
> 
org.lsc.jndi.AbstractSimpleJndiService.<init>(AbstractSimpleJndiService.java:176)
>         at
> org.lsc.jndi.SimpleJndiDstService.<init>(SimpleJndiDstService.java:98)
>         at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method)
>         at
> 
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
>         at
> 
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>         at 
java.lang.reflect.Constructor.newInstance(Constructor.java:526)
>         at org.lsc.Task.<init>(Task.java:117)
>         at org.lsc.SimpleSynchronize.init(SimpleSynchronize.java:104)
>         at org.lsc.SimpleSynchronize.launch(SimpleSynchronize.java:154)
>         at org.lsc.Launcher.run(Launcher.java:223)
>         at org.lsc.Launcher.launch(Launcher.java:158)
>         at org.lsc.Launcher.main(Launcher.java:141)
> juin 18 11:50:29 - INFO  - Connecting to LDAP server
> ldap://my.ad.com/DC=my,DC=ad,DC=com
> CN=ADM,ou=AdminUsers,ou=FR,DC=my,DC=ad,DC=com
> juin 18 11:50:30 - ERROR - Error opening the LDAP connection to the
> destination! (javax.naming.AuthenticationException: GSSAPI [Root 
exception
> is javax.security.sasl.SaslException: Failure to initialize security 
context
> [Caused by GSSException: Invalid name provided (Mechanism level: Cannot
> locate default realm)]])
> juin 18 11:50:30 - ERROR - org.lsc.exception.LscConfigurationException:
> Configuration exception: javax.naming.AuthenticationException: GSSAPI 
[Root
> exception is javax.security.sasl.SaslException: Failure to initialize
> security context [Caused by GSSException: Invalid name provided 
(Mechanism
> level: Cannot locate default realm)]]
>
>
> Can you please let me know if it is possible to use kerberos auth for 
the
> update and how to configure it ?



Hi,

I think we never tried to use GSSAPI to authenticate to LDAP. The
documentation mentions it
(
http://lsc-project.org/wiki/documentation/latest/configuration/connections/ldap
)
but I'm not sure it works.


To update a password in AD, you need to use LDAPS. See also
http://lsc-project.org/wiki/documentation/howto/activedirectory#password_synchronization



Clément.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lsc-project.org/pipermail/lsc-users/attachments/20150622/094b6553/attachment.htm>


More information about the lsc-users mailing list