directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Charles Hedrick (JIRA)" <j...@apache.org>
Subject [jira] [Created] (DIRAPI-350) gssapi documentation
Date Wed, 10 Jul 2019 21:10:00 GMT
Charles Hedrick created DIRAPI-350:
--------------------------------------

             Summary: gssapi documentation
                 Key: DIRAPI-350
                 URL: https://issues.apache.org/jira/browse/DIRAPI-350
             Project: Directory Client API
          Issue Type: Documentation
    Affects Versions: 2.0.0.AM4
            Reporter: Charles Hedrick


In the section on authentication, there is no usable documentation for GSSAPI. Since GSSAPI
is mostly used for Kerberos, you need sample code. Here is some that works.

First, non-trivial Kerberos authentication requires configuration. Creating a Kerberos configuration
is not well documented elsewhere, so we include here sample code. It is possible to put configuration
information in a JAAS login configuration file as well, but doing it programmatically provides
more flexibiity for appications that need to use more than one principal.

    *import* javax.security.auth.login.Configuration;

    *class* KerberosConfiguration *extends* Configuration {

        *private* String cc;

        *public* KerberosConfiguration(String cc) {

            *this*.cc = cc;

        }

        @Override

        *public* AppConfigurationEntry[] *getAppConfigurationEntry*(String name) {

            Map<String, String> options = *new* HashMap<String, String>();

            options.put("useKeyTab", "true");

            *try* {

                options.put("principal", "host/" + InetAddress.getLocalHost().getCanonicalHostName()
+ "@MYKERBOSDOMAIN");

            } *catch* (Exception e){

                System.out.println("Can't find our hostname " + e);

            }

            options.put("refreshKrb5Config", "true");

            options.put("keyTab", "/etc/krb5.keytab");

            options.put("debug", "true");

           *return* *new* AppConfigurationEntry[]{

                *new* AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",

                                          AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,

                                          options),};

        }

 }

 *public* KerberosConfiguration *makeKerberosConfiguration*(String cc) {

       *return* *new* KerberosConfiguration(cc);

 }

 

makeKerberosConfiguration(null) will return the configuration object needed for GSSAPI. The
options in this example authenticate the host, based on /etc/krb5.keytab. Other options are
documented in the Java documentation for the class Krb5LoginModule. Note that if you are
going to use user credentials, they should be stored in a file, not KEYRING or KCM.

 

The following code uses a configuration generated with the code above to do a GSSAPI SASL
bind. The assumption is that ldapNetworkConnection has already been opened using connect

        Configuration sconfig = makeKerberosConfiguration(null);

        SaslGssApiRequest saslGssApiRequestt = *new* SaslGssApiRequest();

        saslGssApiRequest.setLoginModuleConfiguration( sconfig);

        saslGssApiRequest.setLoginContextName( "org.apache.directory.ldap.client.api.SaslGssApiRequest"
);

        saslGssApiRequest.setMutualAuthentication( false );

 

        BindResponse br;

 

        *try* {

                br = ldapNetworkConnection.bind( saslGssApiRequest );

                ldapNetworkConnection.startTls();

         } *catch* ( LdapException e ) {

                e.printStackTrace();

        }

At this point you can do search or other operations.
h2.  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org


Mime
View raw message