idok-users AT lists.psi.ch
Subject: iDok user discussion
List archive
- From: Florian Hübner <florian.huebner AT psi.ch>
- To: idok-users AT lists.psi.ch
- Cc: Martin Richter <martinrichter AT myway.com>
- Subject: Re: [idok-users] iDok Kerberos Configuration
- Date: Wed, 29 Jul 2009 10:16:30 +0200
- List-archive: <https://lists.web.psi.ch/pipermail/idok-users/>
- List-id: iDok user discussion <idok-users.lists.psi.ch>
The jaas.conf file should stay where it is and you have to make sure that the correct entry in the jaas.conf file is used when starting up the server.
The parameter looks something like this:
-Dch.idok.service.server.login.config=DmsServerProd \
that would use your entry:
> DmsServerProd {
> com.sun.security.auth.module.Krb5LoginModule required
> storeKey=true
> principal="HTTP/dms.psi.ch AT TEST.LAN"
> useKeyTab=true
> keyTab="/vol/idokdata_00/app/idok-1.0.0-beta2/etc/dms.keytab"
> useTicketCache=false
> debug=false;
> };
so the problem is probably your principal: dms.psi.ch AT TEST.LAN
you still have to change the address to your own server.
best regards
Florian
PS: Please add the idok-users AT lists.psi.ch address to your replies (usually trough "reply-to-all") so everyone can read them and they wont get lost somewhere in my personal mailbag :)
Martin Richter wrote:
Hello,
there's one little question left: Where should i put the changed jaas.conf - or should it stay where it is? I set up jaas.conf and krb5.conf to match my configuration and iDok don't query the krb server at all.
jaas.config:
// "storeKey" cannot be used to create a new credentials cache file
// The file name for "ticketCache" must be quoted, e.g. ticketCache="/tmp/tickets"
// forwardable=true is only supported by IBM Java, use krb5.conf file for Sun Java
Dms {
ch.psi.idok.common.util.MyKrb5LoginModule required
useTicketCache=true
doNotPrompt=false
debug=false;
};
DmsCacheOnly {
ch.psi.idok.common.util.MyKrb5LoginModule required
useTicketCache=true
doNotPrompt=true
debug=false;
};
DmsNoCache {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=false
doNotPrompt=false
debug=false;
};
DmsServerProd {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
principal="HTTP/dms.psi.ch AT TEST.LAN"
useKeyTab=true
keyTab="/vol/idokdata_00/app/idok-1.0.0-beta2/etc/dms.keytab"
useTicketCache=false
debug=false;
};
DmsServerDevel {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
principal="HTTP/dms02.psi.ch AT TEST.LAN"
useKeyTab=true
keyTab="/vol/idokdata_00/app/idok-1.0.0-beta2/etc/dms.keytab"
useTicketCache=false
debug=false;
};
DmsServerQA {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
principal="HTTP/dms03.psi.ch AT TEST.LAN"
useKeyTab=true
keyTab="/vol/idokdata_00/app/idok-1.0.0-beta2/etc/dms.keytab"
useTicketCache=false
debug=false;
};
krb5.config:
[logging]
default = FILE:/var/log/krb/logfile.log
kdc = FILE:/var/log/krb/kdc.log
admin_server = FILE:/var/log/krb/admin.log
[libdefaults]
default_realm = TEST.LAN
[realms]
TEST.LAN = {
default_domain = test.lan
kdc = lxa001.test.lan
admin_server = lxa001.test.lan
}
[domain_realm]
.test.lan = TEST.LAN
Gathering tickets with kinit etc is working.
Regards,
Martin
-----Original Message-----
*From: *"Florian Hbner" [florian.huebner AT psi.ch]
*Date: *07/23/2009 04:37 PM
*To: *"Martin Richter"
*CC: *idok-users AT lists.psi.ch
*Subject: *Re: [idok-users] iDok Kerberos Configuration
Hello,
You probably have to make changes in the krb5.conf, jaas.conf and
auth_kerb.conf files.
You can find the first two under
"/sites/psi/java/ch/psi/idok/common/config/". Just add your machine to
the jaas.conf and put the modified krb5.conf where your Kerberos expects
it. After that only the Apache configuration file needs adjustment and
you should be set.
Hope this works for you.
best regards
Florian
Martin Richter wrote:
> Hello,
>
>
> I'd like to ask how I havo to configure iDok to make use of a local krb5
> server instead of using AD tickets. How I have to do the initial
> configuration of iDok/kerberos?
>
> Regards,
>
> Martin
------------------------------------------------------------------------
International Movers <http://216.21.215.31/fc/FgElN1mFU5sQyiiR4UMOubGYfTKtVscKO5ARjHXgvLxhYyQDkYNEMhb71Wg/>
Click here for great quotes from top international movers! <http://216.21.215.31/fc/FgElN1mFU5sQyiiR4UMOubGYfTKtVscKO5ARjHXgvLxhYyQDkYNEMhb71Wg/>
Click Here For More Information <http://216.21.215.31/fc/FgElN1mFU5sQyiiR4UMOubGYfTKtVscKO5ARjHXgvLxhYyQDkYNEMhb71Wg/>
- [idok-users] iDok Kerberos Configuration, Martin Richter, 07/23/2009
- Re: [idok-users] iDok Kerberos Configuration, Florian Hübner, 07/23/2009
- <Possible follow-up(s)>
- Re: [idok-users] iDok Kerberos Configuration, Florian Hübner, 07/29/2009
Archive powered by MHonArc 2.6.19.