[Using Sakai] Kerberos configuration -> create user in DB after correct login

mail at nicolaslehmann.de mail at nicolaslehmann.de
Mon Feb 25 16:21:12 PST 2013 

Hi Seth,

I uncommented the lines in the sakai.properties-file and tested it. It 
doesn't work.

I'm not sure if we use MIT or Heimdal, but I will get the information soon.

We already tried to use JLDAP but this didn't work. Because of this we 
started to use Kerberos.

We can live with the current solution but it would be better to be able to 
create (not manunaly) new users on demand.

Do we have to write an own connector-class or something like this(?) or is 
"all" already done in Sakai CLE and we just have  to configure the 
sakai.properties file?

Greetings from Berlin

Nicolas Lehmann

----------
TA Nicolas Lehmann
Freie Universität Berlin
Institut für Informatik
Takustr. 9, 14195 Berlin


-----Ursprüngliche Nachricht----- 
From: Seth Theriault
Sent: Monday, February 25, 2013 8:35 PM
To: Nicolas Lehmann
Cc: Sakai Mailing-Liste ; sakai-dev at collab.sakaiproject.org
Subject: Re: [Using Sakai] Kerberos configuration -> create user in DB after 
correct login

On Mon, Feb 25, 2013 at 1:46 PM, Nicolas Lehmann <mail at nicolaslehmann.de> 
wrote:

> provider.kerberos.auth.login.config=sakai-jaas.conf
> #is default: provider.kerberos.krb5.conf=/etc/krb5.conf
> provider.kerberos.showconfig=true
> # 
> requireLocalAccount at org.sakaiproject.user.api.UserDirectoryProvider=false
> # knownUserMsg at org.sakaiproject.user.api.UserDirectoryProvider="Integrity
> check on decrypted field failed"
> domain at org.sakaiproject.user.api.UserDirectoryProvider="FU-BERLIN.DE"
>
> Questions:
>
> 1) What do we have to do to make Sakai create users in the Sakai-database
> (@login) if an user doesn't exists.
> 2) Is the message "Integrity check on decrypted field failed" correct?

1) From the docs/INSTALL.txt document:

"To allow anyone with a valid Kerberos principal to login into  Sakai
without a local account, you MUST configure the "requireLocalAccount",
"knownUserMsg", and "domain" properties."

If you uncomment, the settings above, things should work.

2): Are you using MIT or Heimdal? For MIT, the message is correct and
the same as the one in the RFC. For Heimdal, it's different. You can
check the docs/INSTALL.txt file for information on getting the right
message.

For the record, using Kerberos as a directory service is not really
recoemmended. You may wish to investigate LDAP if your users can
authenticate to LDAP using their Kerberos passwords.

Seth

More information about the sakai-user mailing list