Starting and Stopping Your Server Instance
Configuring the Server Instance
Configuring the Proxy Components
Configuring Security Between Clients and Servers
Getting SSL Up and Running Quickly
To Accept SSL-Based Connections Using a Self-Signed Certificate
Configuring Key Manager Providers
Using the JKS Key Manager Provider
To Sign the Certificate by Using an External Certificate Authority
To Configure the JKS Key Manager Provider
Using the PKCS #12 Key Manager Provider
Using the PKCS #11 Key Manager Provider
Configuring Trust Manager Providers
Overview of Certificate Trust Mechanisms
Using the Blind Trust Manager Provider
Using the JKS Trust Manager Provider
Using the PKCS #12 Trust Manager Provider
Configuring Certificate Mappers
Using the Subject Equals DN Certificate Mapper
Using the Subject Attribute to User Attribute Certificate Mapper
Using the Subject DN to User Attribute Certificate Mapper
Using the Fingerprint Certificate Mapper
Configuring SSL and StartTLS for LDAP and JMX
Configuring the LDAP and LDAPS Connection Handlers
To Enable a Connection Handler
To Specify a Connection Handler's Listening Port
To Specify a Connection Handler's Authorization Policy
To Specify a Nickname for a Connection Handler's Certificate
To Specify a Connection Handler's Key Manager Provider
To Specify a Connection Handler's Trust Manager Provider
To Enable SSL-Based Communication
Enabling SSL in the JMX Connection Handler
SASL Options for the ANONYMOUS Mechanism
SASL Options for the CRAM-MD5 Mechanism
SASL Options for the DIGEST-MD5 Mechanism
SASL Options for the EXTERNAL Mechanism
SASL Options for the GSSAPI Mechanism
SASL Options for the PLAIN Mechanism
Configuring SASL Authentication
Configuring SASL External Authentication
Configuring SASL DIGEST-MD5 Authentication
Configuring SASL GSSAPI Authentication
To Configure Kerberos V5 on a Host
To Specify SASL Options for Kerberos Authentication
Example Configuration of Kerberos Authentication Using GSSAPI With SASL
Testing SSL, StartTLS, and SASL Authentication With ldapsearch
ldapsearch Command Line Arguments Applicable To Security
Testing SASL External Authentication
Controlling Connection Access using Allowed and Denied Rules
Configuring Security Between the Proxy and the Data Source
Configuring Servers With the Control Panel
If the Kerberos installation does not perform as expected, check the following conditions:
Perform a successful kinit using the test principal from the directory server machine to make sure that the directory server can authenticate to the Kerberos KDC.
Perform a successful kinit using the test principal from the client machines to make sure that the client machines can authenticate to the Kerberos KDC.
Make sure that the directory server's keytab file exists and is readable by the directory server. That is, make sure that the keytab file's ownership and permission settings are correct.
Make sure that the LDAP principal name in the OpenDS keytab file matches the hostname that the directory server used when it was configured. The following example shows a configuration that fails:
Configure GSSAPI as shown below. The value specified for the server-fqdn attribute, bad.example.com, does not match the value used in creating the keytab, directory.example.com.
$ dsconfig -X -n -p 4444 -h directory.example.com \ -D "cn=directory manager" -w password \ set-sasl-mechanism-handler-prop \ --handler-name GSSAPI \ --set enabled:true \ --set keytab:/opt/opends/config/opends.keytab \ --set server-fqdn:bad.example.com
From a client, attempt an ldapsearch authenticating using GSSAPI.
$ ldapsearch -h directory.example.com \ -o mech=GSSAPI -o authid=kerberos-test@EXAMPLE.COM \ --searchScope base \ -b "uid=kerberos-test,ou=people,dc=example,dc=com" "(objectclass=*)" An error occurred while attempting to perform GSSAPI authentication to the Directory Server: \ PrivilegedActionException(AccessController.java:-2) Result Code: 82 (Local Error)
The search fails as expected.
To determine the cause of the search failure, inspect the directory server's access log:
$ tail opends/logs/access [23/Mar/2009:13:12:59 -0500] CONNECT conn=14 from=129.150.33.77:65076 to=192.168.0.199:1389 protocol=LDAP [23/Mar/2009:13:13:00 -0500] BIND REQ conn=14 op=0 msgID=1 type=SASL mechanism=GSSAPI dn="" [23/Mar/2009:13:13:00 -0500] BIND RES conn=14 op=0 msgID=1 result=49 authFailureID=1310915 authFailureReason="An unexpected error occurred while trying to create an GSSAPI context: major code (13) No valid credentials provided, minor code (-1) Failed to find any Kerberos Key" etime=253 [23/Mar/2009:13:13:00 -0500] DISCONNECT conn=14 reason="Client Disconnect"
The message in the minor code of the last record in the access log shows that the directory server could not find a match in the keytab file.
To fix the situation, disable the handler and then re-enable it with the correct information, as shown in the following example.
$ dsconfig -X -n -p 4444 -h directory.example.com \ -D "cn=directory manager" -w password \ set-sasl-mechanism-handler-prop \ --handler-name GSSAPI \ --set enabled:false $ dsconfig -X -n -p 4444 -h directory.example.com -D "cn=directory manager" -w password \ set-sasl-mechanism-handler-prop \ --handler-name GSSAPI \ --set enabled:true \ --set keytab:/opt/opends/config/opends.keytab \ --set server-fqdn:directory.example.com $ ldapsearch -h directory.example.com \ -o mech=GSSAPI \ -o authid=kerberos-test@EXAMPLE.COM \ --searchScope base \ -b "uid=kerberos-test,ou=people,dc=example,dc=com" "(objectclass=*)" dn: uid=kerberos-test,ou=People,dc=example,dc=com changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uid: kerberos-test givenName: Kerberos sn: Test cn: Kerberos Test description: An account for testing Kerberos authentication through GSSAPI