[Using Sakai] Kerberos configuration -> create user in DB after correct login
Seth Theriault
slt at columbia.edu
Mon Feb 25 11:35:09 PST 2013
On Mon, Feb 25, 2013 at 1:46 PM, Nicolas Lehmann <mail at nicolaslehmann.de> wrote:
> provider.kerberos.auth.login.config=sakai-jaas.conf
> #is default: provider.kerberos.krb5.conf=/etc/krb5.conf
> provider.kerberos.showconfig=true
> # requireLocalAccount at org.sakaiproject.user.api.UserDirectoryProvider=false
> # knownUserMsg at org.sakaiproject.user.api.UserDirectoryProvider="Integrity
> check on decrypted field failed"
> domain at org.sakaiproject.user.api.UserDirectoryProvider="FU-BERLIN.DE"
>
> Questions:
>
> 1) What do we have to do to make Sakai create users in the Sakai-database
> (@login) if an user doesn't exists.
> 2) Is the message "Integrity check on decrypted field failed" correct?
1) From the docs/INSTALL.txt document:
"To allow anyone with a valid Kerberos principal to login into Sakai
without a local account, you MUST configure the "requireLocalAccount",
"knownUserMsg", and "domain" properties."
If you uncomment, the settings above, things should work.
2): Are you using MIT or Heimdal? For MIT, the message is correct and
the same as the one in the RFC. For Heimdal, it's different. You can
check the docs/INSTALL.txt file for information on getting the right
message.
For the record, using Kerberos as a directory service is not really
recoemmended. You may wish to investigate LDAP if your users can
authenticate to LDAP using their Kerberos passwords.
Seth
More information about the sakai-user
mailing list