external-software/github_OpenIdentityPlatform_OpenDJ.git

external-software / github_OpenIdentityPlatform_OpenDJ

mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git

parent: 265b26ed | patch | commit | ignore whitespace

Fix for OPENDJ-377 - Kerberos authentication with AD KDC fails with LoginEx...

Ludovic Poitou

08.27.2011 ad91c08e0c56981b9dbf3459ca23c1cbe349e7c1

Fix for OPENDJ-377 - Kerberos authentication with AD KDC fails with LoginException(Client not found in Kerberos database (6))
Add the isInitiator=false option in the JAAS configuration for Kerb/GSS. When set to false it indicates that we're accepting GSSContexts, not initiating them. On a server, it prevents Kerb from verifying that the server's principal name is actually an account in the KDC (which it isn't since the server's principal name should be a service principal).

1 files modified

opendj-sdk/opends/src/server/org/opends/server/extensions/GSSAPISASLMechanismHandler.java

2 ●●●●● patch | view | raw | blame | history

 opendj-sdk/opends/src/server/org/opends/server/extensions/GSSAPISASLMechanismHandler.java

@@ -345,7 +345,7 @@
    w.write(principal.toString());
    Message msg = INFO_GSSAPI_PRINCIPAL_NAME.get(principal.toString());
    logError(msg);
    w.write("\";");
    w.write("\" isInitiator=false;");
    w.newLine();
    w.write("};");
    w.newLine();

			@@ -345,7 +345,7 @@
			w.write(principal.toString());
			Message msg = INFO_GSSAPI_PRINCIPAL_NAME.get(principal.toString());
			logError(msg);
			w.write("\";");
			w.write("\" isInitiator=false;");
			w.newLine();
			w.write("};");
			w.newLine();