From ad91c08e0c56981b9dbf3459ca23c1cbe349e7c1 Mon Sep 17 00:00:00 2001
From: Ludovic Poitou <ludovic.poitou@forgerock.com>
Date: Thu, 08 Dec 2011 09:27:59 +0000
Subject: [PATCH] Fix for OPENDJ-377 - Kerberos authentication with AD KDC fails with LoginException(Client not found in Kerberos database (6)) Add the isInitiator=false option in the JAAS configuration for Kerb/GSS. When set to false it indicates that we're accepting GSSContexts, not initiating them. On a server, it prevents Kerb from verifying that the server's principal name is actually an account in the KDC (which it isn't since the server's principal name should be a service principal).

---
 opendj-sdk/opends/src/server/org/opends/server/extensions/GSSAPISASLMechanismHandler.java |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/opendj-sdk/opends/src/server/org/opends/server/extensions/GSSAPISASLMechanismHandler.java b/opendj-sdk/opends/src/server/org/opends/server/extensions/GSSAPISASLMechanismHandler.java
index d6da565..2c30316 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/extensions/GSSAPISASLMechanismHandler.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/extensions/GSSAPISASLMechanismHandler.java
@@ -345,7 +345,7 @@
     w.write(principal.toString());
     Message msg = INFO_GSSAPI_PRINCIPAL_NAME.get(principal.toString());
     logError(msg);
-    w.write("\";");
+    w.write("\" isInitiator=false;");
     w.newLine();
     w.write("};");
     w.newLine();

--
Gitblit v1.10.0