Kerberos Experts,
I now have 1.5 working with some basic (very basic) Kerberos stuff. I'm
able from a JUnit test to log on and verify that a different
account/user is valid. Before I go on to explain my next issue, I
should explain what I'm trying to accomplish.
My task is to create some remote administration Java code for Active
Directory. I've been doing Kerberos for awhile with the Quest/Vintela
VSJ and VSJ Kerberos packages and we have a lot of utility code built up
around these tools. We already have an authenticated LDAP client piece
that we use to do some simple things like verify an account or its SPNs
and change a password. We will now be expanding this code to do more
"intrusive" functions so we'd like to set up a test environment on our
local machines that simulates AD as closely as possible for the purpose
of this client code we are writing. Examples of new features would be
adding an account or adding a user to an AD group. I know almost
nothing about LDAP but I know a few things about Kerberos and working
with AD's Kerberos.
My next step after verifying accounts (which I can do now) against
ApacheDS is to verify the SPNs. In Active Directory, an SPN is a
"servicePrincipalName" attribute that can have a list of values
(aliases) for the service that the account represents. When I try to
add a "servicePrincipalName" to a user in my kerberos.ldif file (for
loading on startup), the startup fails to load the ldif file with the
following error:
[13:00:25] ERROR
[org.apache.directory.server.protocol.shared.store.LdifFileLoader] -
Failed to import LDIF into backing store.
org.apache.directory.shared.ldap.exception.LdapInvalidAttributeIdentifie
rException: serviceprincipalname not found in attribute registry!
at
org.apache.directory.server.core.schema.SchemaService.check(SchemaServic
e.java:1809)
I assume I could add this attribute to the schema. However, when I read
the custom schema stuff in the 1.0 documentation, it refers to a
bootstrapSchemas section in the server.xml that doesn't exist. I tried
putting it in and the server won't come up so that doesn't work. How is
this done now? I assume it has changed but the change isn't documented.
Can anybody help with adding an attribute to the schema or set of
schemas that ApacheDS uses?
MikeC
---------------------------------------------------------------------------------------------------------
This e-mail message may contain privileged and/or confidential information, and
is intended to be received only by persons entitled to receive such
information. If you have received this e-mail in error, please notify the
sender immediately. Please delete it and all attachments from any servers, hard
drives or any other media. Other use of this e-mail by you is strictly
prohibited.
All e-mails and attachments sent and received are subject to monitoring,
reading and archival by Monsanto. The recipient of this e-mail is solely
responsible for checking for the presence of "Viruses" or other "Malware".
Monsanto accepts no liability for any damage caused by any such code
transmitted by or accompanying this e-mail or any attachment.
---------------------------------------------------------------------------------------------------------
