OpenDJ: CentOS, Kerberos, JCE

OpenDJ community logoPerhaps this is not news to you, but if you want to set up OpenDJ & Kerberos on CentOS 6, then you need to get the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files as described in the example now posted on ForgeRock‘s OpenDJ wiki.

It was news to me. Until I turned on OpenDJ debug logging, it was also very confidential news. I could see the GSSAPI SASL mechanism load correctly on OpenDJ startup, but the errors when I attempted to authenticate through to Kerberos were too subtle.

18:22:06.660 protocol verbose LDAPMessage(msgID=1, protocolOp=BindResponse(resultCode=49))
18:22:06.662 caught error caught={org.opends.server.tools.ClientException: An error occurred while attempting to perform GSSAPI authentication to the Directory Server: PrivilegedActionException(AccessController.java:-2)}
18:22:06.662 caught error caught={org.opends.server.tools.LDAPConnectionException: An error occurred while attempting to perform GSSAPI authentication to the Directory Server: PrivilegedActionException(AccessController.java:-2)}
An error occurred while attempting to perform GSSAPI authentication to the Directory Server: PrivilegedActionException(AccessController.java:-2)
Result Code:  82 (Local Error)

Matt suggested turning on debug logging.

$ dsconfig -p 4444 -h `hostname`
-D "cn=Directory Manager" -w password
set-log-publisher-prop
--publisher-name "File-Based Debug Logger"
--set enabled:true
--log-file:/path/to/OpenDJ/logs/debug -X -n

After that, I saw this in the OpenDJ debug log.

[15/Aug/2011:18:46:35 +0200] 0 caught error thread={Worker Thread 19(70)} threadDetail={parentThread=main(1) isDaemon=false clientConnection=LDAP client connection from 10.0.2.15:36995 to 10.0.2.15:1389 operation=BindOperation(connID=0, opID=0, protocol="LDAP 3, dn=, authType=SASL) } method={run(SASLContext.java:809)} caught={javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]}

Armed with that information, I noticed the Kerberos KDC conf file had this line.

supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

In other words, Sun/Oracle Java and Kerberos on CentOS 6 do not seem to agree out of the box about the encryption strength to use. Once I installed Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files, OpenDJ and Kerberos started working together nicely.

Advertisements

2 thoughts on “OpenDJ: CentOS, Kerberos, JCE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s