[
https://issues.apache.org/jira/browse/DIRAPI-350?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Emmanuel Lecharny updated DIRAPI-350:
-------------------------------------
Description:
In the section on authentication, there is no usable documentation for GSSAPI.
Since GSSAPI is mostly used for Kerberos, you need sample code. Here is some
that works.
First, non-trivial Kerberos authentication requires configuration. Creating a
Kerberos configuration is not well documented elsewhere, so we include here
sample code. It is possible to put configuration information in a JAAS login
configuration file as well, but doing it programmatically provides more
flexibiity for appications that need to use more than one principal.
{code:java}
import javax.security.auth.login.Configuration;
class KerberosConfiguration extends Configuration {
private String cc;
public KerberosConfiguration(String cc) {
this.cc = cc;
}
@Override
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
Map<String, String> options = new HashMap<String, String>();
options.put("useKeyTab", "true");
try {
options.put("principal", "host/" +
InetAddress.getLocalHost().getCanonicalHostName() + "@MYKERBOSDOMAIN");
} catch (Exception e){
System.out.println("Can't find our hostname " + e);
}
options.put("refreshKrb5Config", "true");
options.put("keyTab", "/etc/krb5.keytab");
options.put("debug", "true");
return new AppConfigurationEntry[]{
new
AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
options),};
}
}
public KerberosConfiguration makeKerberosConfiguration(String cc) {
return new KerberosConfiguration(cc);
}
{code}
makeKerberosConfiguration(null) will return the configuration object needed for
GSSAPI. The options in this example authenticate the host, based on
/etc/krb5.keytab. Other options are documented in the Java documentation for
the class Krb5LoginModule. Note that if you are going to use user credentials,
they should be stored in a file, not KEYRING or KCM.
The following code uses a configuration generated with the code above to do a
GSSAPI SASL bind. The assumption is that ldapNetworkConnection has already been
opened using connect
{code:java}
Configuration sconfig = makeKerberosConfiguration(null);
SaslGssApiRequest saslGssApiRequestt = new SaslGssApiRequest();
saslGssApiRequest.setLoginModuleConfiguration( sconfig);
saslGssApiRequest.setLoginContextName(
"org.apache.directory.ldap.client.api.SaslGssApiRequest" );
saslGssApiRequest.setMutualAuthentication( false );
BindResponse br;
try {
br = ldapNetworkConnection.bind( saslGssApiRequest );
ldapNetworkConnection.startTls();
} catch ( LdapException e ) {
e.printStackTrace();
}
{code}
At this point you can do search or other operations.
was:
In the section on authentication, there is no usable documentation for GSSAPI.
Since GSSAPI is mostly used for Kerberos, you need sample code. Here is some
that works.
First, non-trivial Kerberos authentication requires configuration. Creating a
Kerberos configuration is not well documented elsewhere, so we include here
sample code. It is possible to put configuration information in a JAAS login
configuration file as well, but doing it programmatically provides more
flexibiity for appications that need to use more than one principal.
*import* javax.security.auth.login.Configuration;
*class* KerberosConfiguration *extends* Configuration {
*private* String cc;
*public* KerberosConfiguration(String cc) {
*this*.cc = cc;
}
@Override
*public* AppConfigurationEntry[] *getAppConfigurationEntry*(String
name) {
Map<String, String> options = *new* HashMap<String, String>();
options.put("useKeyTab", "true");
*try* {
options.put("principal", "host/" +
InetAddress.getLocalHost().getCanonicalHostName() + "@MYKERBOSDOMAIN");
} *catch* (Exception e){
System.out.println("Can't find our hostname " + e);
}
options.put("refreshKrb5Config", "true");
options.put("keyTab", "/etc/krb5.keytab");
options.put("debug", "true");
*return* *new* AppConfigurationEntry[]{
*new*
AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
options),};
}
}
*public* KerberosConfiguration *makeKerberosConfiguration*(String cc) {
*return* *new* KerberosConfiguration(cc);
}
makeKerberosConfiguration(null) will return the configuration object needed for
GSSAPI. The options in this example authenticate the host, based on
/etc/krb5.keytab. Other options are documented in the Java documentation for
the class Krb5LoginModule. Note that if you are going to use user credentials,
they should be stored in a file, not KEYRING or KCM.
The following code uses a configuration generated with the code above to do a
GSSAPI SASL bind. The assumption is that ldapNetworkConnection has already been
opened using connect
Configuration sconfig = makeKerberosConfiguration(null);
SaslGssApiRequest saslGssApiRequestt = *new* SaslGssApiRequest();
saslGssApiRequest.setLoginModuleConfiguration( sconfig);
saslGssApiRequest.setLoginContextName(
"org.apache.directory.ldap.client.api.SaslGssApiRequest" );
saslGssApiRequest.setMutualAuthentication( false );
BindResponse br;
*try* {
br = ldapNetworkConnection.bind( saslGssApiRequest );
ldapNetworkConnection.startTls();
} *catch* ( LdapException e ) {
e.printStackTrace();
}
At this point you can do search or other operations.
h2.
> gssapi documentation
> --------------------
>
> Key: DIRAPI-350
> URL: https://issues.apache.org/jira/browse/DIRAPI-350
> Project: Directory Client API
> Issue Type: Documentation
> Affects Versions: 2.0.0.AM4
> Reporter: Charles Hedrick
> Priority: Major
>
> In the section on authentication, there is no usable documentation for
> GSSAPI. Since GSSAPI is mostly used for Kerberos, you need sample code. Here
> is some that works.
> First, non-trivial Kerberos authentication requires configuration. Creating a
> Kerberos configuration is not well documented elsewhere, so we include here
> sample code. It is possible to put configuration information in a JAAS login
> configuration file as well, but doing it programmatically provides more
> flexibiity for appications that need to use more than one principal.
> {code:java}
> import javax.security.auth.login.Configuration;
> class KerberosConfiguration extends Configuration {
> private String cc;
> public KerberosConfiguration(String cc) {
> this.cc = cc;
> }
> @Override
> public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
> Map<String, String> options = new HashMap<String, String>();
> options.put("useKeyTab", "true");
> try {
> options.put("principal", "host/" +
> InetAddress.getLocalHost().getCanonicalHostName() + "@MYKERBOSDOMAIN");
> } catch (Exception e){
> System.out.println("Can't find our hostname " + e);
> }
> options.put("refreshKrb5Config", "true");
> options.put("keyTab", "/etc/krb5.keytab");
> options.put("debug", "true");
> return new AppConfigurationEntry[]{
> new
> AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
>
> AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
> options),};
> }
> }
> public KerberosConfiguration makeKerberosConfiguration(String cc) {
> return new KerberosConfiguration(cc);
> }
> {code}
>
> makeKerberosConfiguration(null) will return the configuration object needed
> for GSSAPI. The options in this example authenticate the host, based on
> /etc/krb5.keytab. Other options are documented in the Java documentation for
> the class Krb5LoginModule. Note that if you are going to use user
> credentials, they should be stored in a file, not KEYRING or KCM.
>
> The following code uses a configuration generated with the code above to do a
> GSSAPI SASL bind. The assumption is that ldapNetworkConnection has already
> been opened using connect
> {code:java}
> Configuration sconfig = makeKerberosConfiguration(null);
> SaslGssApiRequest saslGssApiRequestt = new SaslGssApiRequest();
> saslGssApiRequest.setLoginModuleConfiguration( sconfig);
> saslGssApiRequest.setLoginContextName(
> "org.apache.directory.ldap.client.api.SaslGssApiRequest" );
> saslGssApiRequest.setMutualAuthentication( false );
>
> BindResponse br;
>
> try {
> br = ldapNetworkConnection.bind( saslGssApiRequest );
> ldapNetworkConnection.startTls();
> } catch ( LdapException e ) {
> e.printStackTrace();
> }
> {code}
> At this point you can do search or other operations.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
