[ https://issues.apache.org/jira/browse/DIRAPI-350?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny updated DIRAPI-350: ------------------------------------- Description: In the section on authentication, there is no usable documentation for GSSAPI. Since GSSAPI is mostly used for Kerberos, you need sample code. Here is some that works. First, non-trivial Kerberos authentication requires configuration. Creating a Kerberos configuration is not well documented elsewhere, so we include here sample code. It is possible to put configuration information in a JAAS login configuration file as well, but doing it programmatically provides more flexibiity for appications that need to use more than one principal. {code:java} import javax.security.auth.login.Configuration; class KerberosConfiguration extends Configuration { private String cc; public KerberosConfiguration(String cc) { this.cc = cc; } @Override public AppConfigurationEntry[] getAppConfigurationEntry(String name) { Map<String, String> options = new HashMap<String, String>(); options.put("useKeyTab", "true"); try { options.put("principal", "host/" + InetAddress.getLocalHost().getCanonicalHostName() + "@MYKERBOSDOMAIN"); } catch (Exception e){ System.out.println("Can't find our hostname " + e); } options.put("refreshKrb5Config", "true"); options.put("keyTab", "/etc/krb5.keytab"); options.put("debug", "true"); return new AppConfigurationEntry[]{ new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options),}; } } public KerberosConfiguration makeKerberosConfiguration(String cc) { return new KerberosConfiguration(cc); } {code} makeKerberosConfiguration(null) will return the configuration object needed for GSSAPI. The options in this example authenticate the host, based on /etc/krb5.keytab. Other options are documented in the Java documentation for the class Krb5LoginModule. Note that if you are going to use user credentials, they should be stored in a file, not KEYRING or KCM. The following code uses a configuration generated with the code above to do a GSSAPI SASL bind. The assumption is that ldapNetworkConnection has already been opened using connect {code:java} Configuration sconfig = makeKerberosConfiguration(null); SaslGssApiRequest saslGssApiRequestt = new SaslGssApiRequest(); saslGssApiRequest.setLoginModuleConfiguration( sconfig); saslGssApiRequest.setLoginContextName( "org.apache.directory.ldap.client.api.SaslGssApiRequest" ); saslGssApiRequest.setMutualAuthentication( false ); BindResponse br; try { br = ldapNetworkConnection.bind( saslGssApiRequest ); ldapNetworkConnection.startTls(); } catch ( LdapException e ) { e.printStackTrace(); } {code} At this point you can do search or other operations. was: In the section on authentication, there is no usable documentation for GSSAPI. Since GSSAPI is mostly used for Kerberos, you need sample code. Here is some that works. First, non-trivial Kerberos authentication requires configuration. Creating a Kerberos configuration is not well documented elsewhere, so we include here sample code. It is possible to put configuration information in a JAAS login configuration file as well, but doing it programmatically provides more flexibiity for appications that need to use more than one principal. *import* javax.security.auth.login.Configuration; *class* KerberosConfiguration *extends* Configuration { *private* String cc; *public* KerberosConfiguration(String cc) { *this*.cc = cc; } @Override *public* AppConfigurationEntry[] *getAppConfigurationEntry*(String name) { Map<String, String> options = *new* HashMap<String, String>(); options.put("useKeyTab", "true"); *try* { options.put("principal", "host/" + InetAddress.getLocalHost().getCanonicalHostName() + "@MYKERBOSDOMAIN"); } *catch* (Exception e){ System.out.println("Can't find our hostname " + e); } options.put("refreshKrb5Config", "true"); options.put("keyTab", "/etc/krb5.keytab"); options.put("debug", "true"); *return* *new* AppConfigurationEntry[]{ *new* AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options),}; } } *public* KerberosConfiguration *makeKerberosConfiguration*(String cc) { *return* *new* KerberosConfiguration(cc); } makeKerberosConfiguration(null) will return the configuration object needed for GSSAPI. The options in this example authenticate the host, based on /etc/krb5.keytab. Other options are documented in the Java documentation for the class Krb5LoginModule. Note that if you are going to use user credentials, they should be stored in a file, not KEYRING or KCM. The following code uses a configuration generated with the code above to do a GSSAPI SASL bind. The assumption is that ldapNetworkConnection has already been opened using connect Configuration sconfig = makeKerberosConfiguration(null); SaslGssApiRequest saslGssApiRequestt = *new* SaslGssApiRequest(); saslGssApiRequest.setLoginModuleConfiguration( sconfig); saslGssApiRequest.setLoginContextName( "org.apache.directory.ldap.client.api.SaslGssApiRequest" ); saslGssApiRequest.setMutualAuthentication( false ); BindResponse br; *try* { br = ldapNetworkConnection.bind( saslGssApiRequest ); ldapNetworkConnection.startTls(); } *catch* ( LdapException e ) { e.printStackTrace(); } At this point you can do search or other operations. h2. > gssapi documentation > -------------------- > > Key: DIRAPI-350 > URL: https://issues.apache.org/jira/browse/DIRAPI-350 > Project: Directory Client API > Issue Type: Documentation > Affects Versions: 2.0.0.AM4 > Reporter: Charles Hedrick > Priority: Major > > In the section on authentication, there is no usable documentation for > GSSAPI. Since GSSAPI is mostly used for Kerberos, you need sample code. Here > is some that works. > First, non-trivial Kerberos authentication requires configuration. Creating a > Kerberos configuration is not well documented elsewhere, so we include here > sample code. It is possible to put configuration information in a JAAS login > configuration file as well, but doing it programmatically provides more > flexibiity for appications that need to use more than one principal. > {code:java} > import javax.security.auth.login.Configuration; > class KerberosConfiguration extends Configuration { > private String cc; > public KerberosConfiguration(String cc) { > this.cc = cc; > } > @Override > public AppConfigurationEntry[] getAppConfigurationEntry(String name) { > Map<String, String> options = new HashMap<String, String>(); > options.put("useKeyTab", "true"); > try { > options.put("principal", "host/" + > InetAddress.getLocalHost().getCanonicalHostName() + "@MYKERBOSDOMAIN"); > } catch (Exception e){ > System.out.println("Can't find our hostname " + e); > } > options.put("refreshKrb5Config", "true"); > options.put("keyTab", "/etc/krb5.keytab"); > options.put("debug", "true"); > return new AppConfigurationEntry[]{ > new > AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", > > AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, > options),}; > } > } > public KerberosConfiguration makeKerberosConfiguration(String cc) { > return new KerberosConfiguration(cc); > } > {code} > > makeKerberosConfiguration(null) will return the configuration object needed > for GSSAPI. The options in this example authenticate the host, based on > /etc/krb5.keytab. Other options are documented in the Java documentation for > the class Krb5LoginModule. Note that if you are going to use user > credentials, they should be stored in a file, not KEYRING or KCM. > > The following code uses a configuration generated with the code above to do a > GSSAPI SASL bind. The assumption is that ldapNetworkConnection has already > been opened using connect > {code:java} > Configuration sconfig = makeKerberosConfiguration(null); > SaslGssApiRequest saslGssApiRequestt = new SaslGssApiRequest(); > saslGssApiRequest.setLoginModuleConfiguration( sconfig); > saslGssApiRequest.setLoginContextName( > "org.apache.directory.ldap.client.api.SaslGssApiRequest" ); > saslGssApiRequest.setMutualAuthentication( false ); > > BindResponse br; > > try { > br = ldapNetworkConnection.bind( saslGssApiRequest ); > ldapNetworkConnection.startTls(); > } catch ( LdapException e ) { > e.printStackTrace(); > } > {code} > At this point you can do search or other operations. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org