directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (DIRAPI-350) gssapi documentation
Date Wed, 10 Jul 2019 22:02:00 GMT

     [ https://issues.apache.org/jira/browse/DIRAPI-350?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Emmanuel Lecharny updated DIRAPI-350:
-------------------------------------
    Description: 
In the section on authentication, there is no usable documentation for GSSAPI. Since GSSAPI
is mostly used for Kerberos, you need sample code. Here is some that works.

First, non-trivial Kerberos authentication requires configuration. Creating a Kerberos configuration
is not well documented elsewhere, so we include here sample code. It is possible to put configuration
information in a JAAS login configuration file as well, but doing it programmatically provides
more flexibiity for appications that need to use more than one principal.

{code:java}
    import javax.security.auth.login.Configuration;

    class KerberosConfiguration extends Configuration {

        private String cc;

        public KerberosConfiguration(String cc) {

            this.cc = cc;

        }

        @Override

        public AppConfigurationEntry[] getAppConfigurationEntry(String name) {

            Map<String, String> options = new HashMap<String, String>();

            options.put("useKeyTab", "true");

            try {

                options.put("principal", "host/" + InetAddress.getLocalHost().getCanonicalHostName()
+ "@MYKERBOSDOMAIN");

            } catch (Exception e){

                System.out.println("Can't find our hostname " + e);

            }

            options.put("refreshKrb5Config", "true");

            options.put("keyTab", "/etc/krb5.keytab");

            options.put("debug", "true");

           return new AppConfigurationEntry[]{

                new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",

                                          AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,

                                          options),};

        }

 }

 public KerberosConfiguration makeKerberosConfiguration(String cc) {

       return new KerberosConfiguration(cc);

 }

{code}

 

makeKerberosConfiguration(null) will return the configuration object needed for GSSAPI. The
options in this example authenticate the host, based on /etc/krb5.keytab. Other options are
documented in the Java documentation for the class Krb5LoginModule. Note that if you are
going to use user credentials, they should be stored in a file, not KEYRING or KCM.

 

The following code uses a configuration generated with the code above to do a GSSAPI SASL
bind. The assumption is that ldapNetworkConnection has already been opened using connect

{code:java}
        Configuration sconfig = makeKerberosConfiguration(null);

        SaslGssApiRequest saslGssApiRequestt = new SaslGssApiRequest();

        saslGssApiRequest.setLoginModuleConfiguration( sconfig);

        saslGssApiRequest.setLoginContextName( "org.apache.directory.ldap.client.api.SaslGssApiRequest"
);

        saslGssApiRequest.setMutualAuthentication( false );

 

        BindResponse br;

 

        try {

                br = ldapNetworkConnection.bind( saslGssApiRequest );

                ldapNetworkConnection.startTls();

         } catch ( LdapException e ) {

                e.printStackTrace();

        }
{code}

At this point you can do search or other operations.


  was:
In the section on authentication, there is no usable documentation for GSSAPI. Since GSSAPI
is mostly used for Kerberos, you need sample code. Here is some that works.

First, non-trivial Kerberos authentication requires configuration. Creating a Kerberos configuration
is not well documented elsewhere, so we include here sample code. It is possible to put configuration
information in a JAAS login configuration file as well, but doing it programmatically provides
more flexibiity for appications that need to use more than one principal.

    *import* javax.security.auth.login.Configuration;

    *class* KerberosConfiguration *extends* Configuration {

        *private* String cc;

        *public* KerberosConfiguration(String cc) {

            *this*.cc = cc;

        }

        @Override

        *public* AppConfigurationEntry[] *getAppConfigurationEntry*(String name) {

            Map<String, String> options = *new* HashMap<String, String>();

            options.put("useKeyTab", "true");

            *try* {

                options.put("principal", "host/" + InetAddress.getLocalHost().getCanonicalHostName()
+ "@MYKERBOSDOMAIN");

            } *catch* (Exception e){

                System.out.println("Can't find our hostname " + e);

            }

            options.put("refreshKrb5Config", "true");

            options.put("keyTab", "/etc/krb5.keytab");

            options.put("debug", "true");

           *return* *new* AppConfigurationEntry[]{

                *new* AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",

                                          AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,

                                          options),};

        }

 }

 *public* KerberosConfiguration *makeKerberosConfiguration*(String cc) {

       *return* *new* KerberosConfiguration(cc);

 }

 

makeKerberosConfiguration(null) will return the configuration object needed for GSSAPI. The
options in this example authenticate the host, based on /etc/krb5.keytab. Other options are
documented in the Java documentation for the class Krb5LoginModule. Note that if you are
going to use user credentials, they should be stored in a file, not KEYRING or KCM.

 

The following code uses a configuration generated with the code above to do a GSSAPI SASL
bind. The assumption is that ldapNetworkConnection has already been opened using connect

        Configuration sconfig = makeKerberosConfiguration(null);

        SaslGssApiRequest saslGssApiRequestt = *new* SaslGssApiRequest();

        saslGssApiRequest.setLoginModuleConfiguration( sconfig);

        saslGssApiRequest.setLoginContextName( "org.apache.directory.ldap.client.api.SaslGssApiRequest"
);

        saslGssApiRequest.setMutualAuthentication( false );

 

        BindResponse br;

 

        *try* {

                br = ldapNetworkConnection.bind( saslGssApiRequest );

                ldapNetworkConnection.startTls();

         } *catch* ( LdapException e ) {

                e.printStackTrace();

        }

At this point you can do search or other operations.
h2.  


> gssapi documentation
> --------------------
>
>                 Key: DIRAPI-350
>                 URL: https://issues.apache.org/jira/browse/DIRAPI-350
>             Project: Directory Client API
>          Issue Type: Documentation
>    Affects Versions: 2.0.0.AM4
>            Reporter: Charles Hedrick
>            Priority: Major
>
> In the section on authentication, there is no usable documentation for GSSAPI. Since
GSSAPI is mostly used for Kerberos, you need sample code. Here is some that works.
> First, non-trivial Kerberos authentication requires configuration. Creating a Kerberos
configuration is not well documented elsewhere, so we include here sample code. It is possible
to put configuration information in a JAAS login configuration file as well, but doing it
programmatically provides more flexibiity for appications that need to use more than one principal.
> {code:java}
>     import javax.security.auth.login.Configuration;
>     class KerberosConfiguration extends Configuration {
>         private String cc;
>         public KerberosConfiguration(String cc) {
>             this.cc = cc;
>         }
>         @Override
>         public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
>             Map<String, String> options = new HashMap<String, String>();
>             options.put("useKeyTab", "true");
>             try {
>                 options.put("principal", "host/" + InetAddress.getLocalHost().getCanonicalHostName()
+ "@MYKERBOSDOMAIN");
>             } catch (Exception e){
>                 System.out.println("Can't find our hostname " + e);
>             }
>             options.put("refreshKrb5Config", "true");
>             options.put("keyTab", "/etc/krb5.keytab");
>             options.put("debug", "true");
>            return new AppConfigurationEntry[]{
>                 new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
>                                           AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
>                                           options),};
>         }
>  }
>  public KerberosConfiguration makeKerberosConfiguration(String cc) {
>        return new KerberosConfiguration(cc);
>  }
> {code}
>  
> makeKerberosConfiguration(null) will return the configuration object needed for GSSAPI.
The options in this example authenticate the host, based on /etc/krb5.keytab. Other options
are documented in the Java documentation for the class Krb5LoginModule. Note that if you
are going to use user credentials, they should be stored in a file, not KEYRING or KCM.
>  
> The following code uses a configuration generated with the code above to do a GSSAPI
SASL bind. The assumption is that ldapNetworkConnection has already been opened using connect
> {code:java}
>         Configuration sconfig = makeKerberosConfiguration(null);
>         SaslGssApiRequest saslGssApiRequestt = new SaslGssApiRequest();
>         saslGssApiRequest.setLoginModuleConfiguration( sconfig);
>         saslGssApiRequest.setLoginContextName( "org.apache.directory.ldap.client.api.SaslGssApiRequest"
);
>         saslGssApiRequest.setMutualAuthentication( false );
>  
>         BindResponse br;
>  
>         try {
>                 br = ldapNetworkConnection.bind( saslGssApiRequest );
>                 ldapNetworkConnection.startTls();
>          } catch ( LdapException e ) {
>                 e.printStackTrace();
>         }
> {code}
> At this point you can do search or other operations.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org


Mime
View raw message