directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Charles Hedrick (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (DIRAPI-350) gssapi documentation
Date Wed, 10 Jul 2019 22:00:00 GMT

    [ https://issues.apache.org/jira/browse/DIRAPI-350?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16882471#comment-16882471
] 

Charles Hedrick edited comment on DIRAPI-350 at 7/10/19 9:59 PM:
-----------------------------------------------------------------

my apologies. The sample has unncessary code. The cc argument and the constructor aren't really
needed. I can update the code if you want.

 

I did try a credential cache, and verified that a file works but not a KEYRING entry. This
is unfortunate, because a number of implementations are now putting credentials in KEYRING
or even KCM by default. In the long run it would be nice to use your own Kerberos code for
this, and fix it to understand all of the different cache types.

 


was (Author: clhedrick):
my apologies. The sample has unncessary code. The cc argument and the constructor aren't really
needed. I can update the code if you want.

 

> gssapi documentation
> --------------------
>
>                 Key: DIRAPI-350
>                 URL: https://issues.apache.org/jira/browse/DIRAPI-350
>             Project: Directory Client API
>          Issue Type: Documentation
>    Affects Versions: 2.0.0.AM4
>            Reporter: Charles Hedrick
>            Priority: Major
>
> In the section on authentication, there is no usable documentation for GSSAPI. Since
GSSAPI is mostly used for Kerberos, you need sample code. Here is some that works.
> First, non-trivial Kerberos authentication requires configuration. Creating a Kerberos
configuration is not well documented elsewhere, so we include here sample code. It is possible
to put configuration information in a JAAS login configuration file as well, but doing it
programmatically provides more flexibiity for appications that need to use more than one principal.
>     *import* javax.security.auth.login.Configuration;
>     *class* KerberosConfiguration *extends* Configuration {
>         *private* String cc;
>         *public* KerberosConfiguration(String cc) {
>             *this*.cc = cc;
>         }
>         @Override
>         *public* AppConfigurationEntry[] *getAppConfigurationEntry*(String name)
{
>             Map<String, String> options = *new* HashMap<String, String>();
>             options.put("useKeyTab", "true");
>             *try* {
>                 options.put("principal", "host/" + InetAddress.getLocalHost().getCanonicalHostName()
+ "@MYKERBOSDOMAIN");
>             } *catch* (Exception e){
>                 System.out.println("Can't find our hostname " + e);
>             }
>             options.put("refreshKrb5Config", "true");
>             options.put("keyTab", "/etc/krb5.keytab");
>             options.put("debug", "true");
>            *return* *new* AppConfigurationEntry[]{
>                 *new* AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
>                                           AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
>                                           options),};
>         }
>  }
>  *public* KerberosConfiguration *makeKerberosConfiguration*(String cc) {
>        *return* *new* KerberosConfiguration(cc);
>  }
>  
> makeKerberosConfiguration(null) will return the configuration object needed for GSSAPI.
The options in this example authenticate the host, based on /etc/krb5.keytab. Other options
are documented in the Java documentation for the class Krb5LoginModule. Note that if you
are going to use user credentials, they should be stored in a file, not KEYRING or KCM.
>  
> The following code uses a configuration generated with the code above to do a GSSAPI
SASL bind. The assumption is that ldapNetworkConnection has already been opened using connect
>         Configuration sconfig = makeKerberosConfiguration(null);
>         SaslGssApiRequest saslGssApiRequestt = *new* SaslGssApiRequest();
>         saslGssApiRequest.setLoginModuleConfiguration( sconfig);
>         saslGssApiRequest.setLoginContextName( "org.apache.directory.ldap.client.api.SaslGssApiRequest"
);
>         saslGssApiRequest.setMutualAuthentication( false );
>  
>         BindResponse br;
>  
>         *try* {
>                 br = ldapNetworkConnection.bind( saslGssApiRequest );
>                 ldapNetworkConnection.startTls();
>          } *catch* ( LdapException e ) {
>                 e.printStackTrace();
>         }
> At this point you can do search or other operations.
> h2.  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org


Mime
View raw message