I have created https://issues.apache.org/jira/browse/DIRSERVER-2156 as you suggest. There really is address send in TGS-REQ for krbtgt. Is there way we can workaround this behaviour? Is it bug in ibm java ignoring noaddresses = true flag? Is it possible to configure ApacheDS not to issue ticket with address or skip network address check?
On 28 June 2016 at 07:45, Martin Choma <[email protected]> wrote: > Hi, > > ApacheDS issues TGT kerberos ticket with address on IBM java , even if > noaddresses = true is explicitelly set in krb5.conf. > > Address in ticket causing problem, because ApacheDS check address in > ticket with address of connection. And that leads to error "error 38 > Incorrect net address" > > I dont see this issue on IBM java and Active Directory, for instance, so I > think it is not problem of client code. > > Also note that running ApacheDS with openJDK and oracle java I also don't > see this. > > Only problematic combination is is ApacheDS vs. IBM java 8 > > Tested use case is identity propagation / delegation. > > Any ideas? >
