Hi, I am trying to use IS as KDC server to obtain a kerberos token to talk to a service in ESB which is secured with security scenario 16. I observe the following error in IS back end and client fails with "The security token could not be authenticated or authorized (Kerberos login failed)"
*WARN
{org.apache.directory.server.kerberos.shared.store.operations.StoreUtils} -
No server entry found for kerberos principal name krbtgt/[email protected]*
*[2012-06-17 14:21:10,694] WARN
{org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler} -
Server not found in Kerberos database (7)*
Appreciate a lot any insights to overcome it. I have attached
embedded-ldap.xml and user-mgt.xml in IS side and krb5.conf, security
policy in client side for reference.
Let me also mention some of the suggestions for improvements here which I
observed when trying to get the above scenario working.
1. "krb5.conf" and "jaas.conf" files are shipped with IS. But the
information in krb5.conf doesn't match with default KDC server shipped with
IS - i.e: realm name and supported algorithms.
I changed the configuration according to the details in the below mail.
I believe it would be useful if we also include the configurations that
match with default KDC server.
2. Since above two files are required for sec scenario 16 to work, I think
it would be useful if we make those files install with security management
feature so that they will also be available in ESB and AS where this
security scenario is available.
Thanks,
Hasini.
---------- Forwarded message ----------
From: Amila Jayasekara <[email protected]>
Date: Fri, May 25, 2012 at 12:48 PM
Subject: Re: [Architecture] How to we map IS users to Kerberos Principals
To: [email protected], [email protected]
Hi Srinath,
Please find answers in-line.
On Fri, May 25, 2012 at 11:29 AM, Srinath Perera <[email protected]> wrote:
> Hi All,
>
> Few questions
>
> Do we map IS users to Kerberos Principals in our Kerberos (KDC)
integration
> with IS?
Yes, for this you need to use embedded LDAP server. Please enable KDC
server in embedded LDAP configuration
($CARBON_HOME/repository/conf/embedded-ldap.xml)
E.g :-
<KDCServer>
<Property name="name">defaultKDC</Property>
<Property name="enabled">true</Property>
....
</KDCServer>
Above will start the KDC server. Also in-order to define service
principals using UI please set "<Property
name="kdcEnabled">false</Property>" to true in user-mgt.xml.
If you already have users defined in LDAP they will not get KDC
attributes. Therefore please remove content in repository/data and
restart the server.
>
> How to do we map principals to users? (example will help)
Once you enable KDC server, users will automatically assigned as user
principals. So if you add a user through management console that user
will be a Kerberos principal. To define service principals please
"Kerberos Principals" menu in IS ui.
> what is the domain name and host name we use in principals? How can I
> change them?
Default domain is set to "wso2.org". You can change the domain using
embedded-ldap.xml.
<DefaultPartition>
<Property name="id">root</Property>
<Property name="realm">wso2.org</Property>
...
</DefaultPartition>
Host is set to localhost. You can change it using embedded-ldap.xml
<KDCServer> configuration,
<KDCServer>
....
<Property name="host">localhost</Property>
....
</KDCServer>
> Have we tried our KDC with kinit and klist commands? Please point me
> to instructions
Yes, we have. You need setup realm information /etc/krb5.conf. I am
pasting content of a sample file [1]. Based on the algorithms you
define in krb5.conf you may need to disable pre-authentication. For
sample in [1] please disable pre-authentication using
embedded-ldap.xml KDCServer/preAuthenticationTimeStampEnabled.
E.g :-
amila@aj:~/runenv/Run/kerberos/wso2is-3.2.2/repository/conf$ kinit
[email protected]
Password for [email protected]:
amila@aj:~/runenv/Run/kerberos/wso2is-3.2.2/repository/conf$
amila@aj:~/runenv/Run/kerberos/wso2is-3.2.2/repository/conf$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]
Valid starting Expires Service principal
05/25/12 07:12:02 05/25/12 09:36:02 krbtgt/[email protected]
renew until 05/26/12 07:12:02
> If I go and change a user in IS, does that change the associated
> Kerberos Principal as well?
Changing user in the sense, changing password of the user ? If so
change will get affected. Also client code needs to make sure it is
not using cached credentials from "kinit".
Thanks
AmilaJ
[1]
[libdefaults]
default_realm = WSO2.ORG
default_tgs_enCtypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
allow_weak_crypto = true
[realms]
WSO2.ORG = {
kdc = 127.0.0.1:8000
}
[domain_realm]
.wso2.org = WSO2.ORG
wso2.org = WSO2.ORG
[login]
krb4_convert = true
krb4_get_tickets = false
>
> --Srinath
>
> --
> ============================
> Srinath Perera, Ph.D.
> Senior Software Architect, WSO2 Inc.
> Visiting Faculty, University of Moratuwa
> Member, Apache Software Foundation
> Research Scientist, Lanka Software Foundation
> Blog: http://srinathsview.blogspot.com/
> Photos: http://www.flickr.com/photos/hemapani/
> Phone: 0772360902
>
> _______________________________________________
> Architecture mailing list
> [email protected]
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
--
Mobile : +94773330538
_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
<?xml version="1.0" encoding="UTF-8"?> <!-- * * Copyright 2004,2005 The Apache Software Foundation. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * --> <!-- All carbon based products comes with a LDAP user store. For this we use an embedded LDAP in carbon based products. This file contains necessary configurations to control the behavior of embedded LDAP. You may use this file to enable, disable LDAP server, configure connection admin password, etc ... In addition to embedded-ldap server configurations this file also has Kerberos KDC (Key Distribution Center) specific configurations. --> <EmbeddedLDAPConfig> <!-- LDAP server configurations ========================== This section contains LDAP server specific configurations. Property Usage ======= ==== enable If true the embedded LDAP server will start when server starts up. Else embedded LDAP server will not start. Thus user has to use a different user store. instanceid An id given to the LDAP server instance. connectionPassword The password of the admin. (uid=admin,ou=system) workingDirectory Location where LDAP will store its schema files. AdminEntryObjectClass Object class which encapsulate attributes needed by claims. allowAnonymousAccess Should allow users to access LDAP server without credentials. Default false. accessControlEnabled Should access control be enabled among partitions. Default true. saslHostName Default host name to be used in SASL (Simple Authentication and Security Layer). This property comes from apacheds implementation itself. saslPrincipalName Default SASL principal name. Again this property also comes from apacheds implementation itself. --> <EmbeddedLDAP> <Property name="enable">true</Property> <Property name="port">${Ports.EmbeddedLDAP.LDAPServerPort}</Property> <Property name="instanceId">default</Property> <Property name="connectionPassword">admin</Property> <Property name="workingDirectory">.</Property> <Property name="AdminEntryObjectClass">wso2Person</Property> <Property name="allowAnonymousAccess">false</Property> <Property name="accessControlEnabled">true</Property> <Property name="denormalizeOpAttrsEnabled">false</Property> <Property name="maxPDUSize">2000000</Property> <Property name="saslHostName">localhost</Property> <Property name="saslPrincipalName">ldap/[email protected]</Property> </EmbeddedLDAP> <!-- Default partition configurations ================================ When embedded LDAP server starts for the first time it will create a default partition. Following properties configure values for the default partition. Property Usage ======= ===== id Each partition is given an id. The id given to the default paritition. realm Realm is the place where we store user principals and service principals. The name of the realm for default partition. kdcPassword This parameter is used when KDC (Key Distribution Center) is enabled. In apacheds KDC also has a server principal. This defines a password for KDC server principal. ldapServerPrinciplePassword If LDAP server is also defined as a server principal, this will be the password. --> <DefaultPartition> <Property name="id">root</Property> <Property name="realm">wso2.org</Property> <Property name="kdcPassword">secret</Property> <Property name="ldapServerPrinciplePassword">randall</Property> </DefaultPartition> <!-- Default partition admin configurations ====================================== In a multi-tenant scenario each tenant will have a separate partition. Thus tenant admin will be the partition admin. Following configurations define admin attributes for above created default partition. Property Usage ======== ===== uid UID attribute for partition admin. commonName The cn attribute for admin lastName The sn attribute for admin email The email attribute for admin passwordType The password hashing mechanism. Following hashing mechanisms are available, "SHA", "MD5". "PLAIN_TEXT" is also a valid value. If KDC is enabled password type will be enforced to be plain text. --> <PartitionAdmin> <Property name="uid">admin</Property> <Property name="firstName">admin</Property> <Property name="lastName">admin</Property> <Property name="email">[email protected]</Property> <Property name="password">admin</Property> <Property name="passwordType">SHA</Property> </PartitionAdmin> <!-- Default partition admin's group configuration ============================================= Embedded LDAP is capable of keeping group information also. If LDAP groups are enabled in user store (usr-mgt.xml) group information will be recorded in a separate sub-context. Following configuration defines the group properties. Property Usage ======= ===== adminRoleName The name of the role/group that admin should be included. groupNameAttribute The attribute which group name will be recorded. memberNameAttribute The attribute which memebers are recorded. --> <PartitionAdminGroup> <Property name="adminRoleName">admin</Property> <Property name="groupNameAttribute">cn</Property> <Property name="memberNameAttribute">member</Property> </PartitionAdminGroup> <!-- KDC configurations ================= Following configurations are applicable to KDC server. Generally, the KDC is only enabled in Identity Server. You may enable KDC server if you wish to do so. But if you dont have any Kerberos specific programs, it is recommended to disable KDC server. Property Usage ======= ===== name Name given to default KDC server. enabled If true a KDC server will start when starting LDAP server. Else a KDC server will not start with a LDAP server. protocol Default protocol to be used in KDC communication. Default is UDP. maximumTicketLifeTime The maximum life time of a ticket issued by the KDC. maximumRenewableLifeTime Life time which a ticket can be used by renewing it several times. preAuthenticationTimeStampEnabled Pre-authentication is a feature in latest Kerberos protocol. This property says whether to enable it or disable it. --> <KDCServer> <Property name="name">defaultKDC</Property> <Property name="enabled">true</Property> <Property name="protocol">UDP</Property> <Property name="host">localhost</Property> <Property name="port">${Ports.EmbeddedLDAP.KDCServerPort}</Property> <Property name="maximumTicketLifeTime">8640000</Property> <Property name="maximumRenewableLifeTime">604800000</Property> <Property name="preAuthenticationTimeStampEnabled">false</Property> </KDCServer> </EmbeddedLDAPConfig>
<!-- ~ Copyright 2005-2007 WSO2, Inc. (http://wso2.com) ~ ~ Licensed under the Apache License, Version 2.0 (the "License"); ~ you may not use this file except in compliance with the License. ~ You may obtain a copy of the License at ~ ~ http://www.apache.org/licenses/LICENSE-2.0 ~ ~ Unless required by applicable law or agreed to in writing, software ~ distributed under the License is distributed on an "AS IS" BASIS, ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ~ See the License for the specific language governing permissions and ~ limitations under the License. --> <UserManager> <Realm> <Configuration> <AdminRole>admin</AdminRole> <AdminUser> <UserName>admin</UserName> <Password>admin</Password> </AdminUser> <EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root --> <Property name="url">jdbc:h2:repository/database/WSO2CARBON_DB;DB_CLOSE_ON_EXIT=FALSE</Property> <Property name="userName">wso2carbon</Property> <Property name="password">wso2carbon</Property> <Property name="driverName">org.h2.Driver</Property> <Property name="maxActive">50</Property> <Property name="maxWait">60000</Property> <Property name="minIdle">5</Property> </Configuration> <!-- Following is the default user store manager. This user store manager is based on embedded-apacheds LDAP. It reads/writes users and roles into the default apacheds LDAP user store. Descriptions about each of the following properties can be found in user management documentation of the respective product. Note: Do not comment within UserStoreManager tags. Cause, specific tag names are used as tokens when building configurations for products. --> <!--UserStoreManager class="org.wso2.carbon.user.core.ldap.ApacheDSUserStoreManager"> <Property name="ReadOnly">false</Property> <Property name="ConnectionURL">ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}</Property> <Property name="ConnectionName">uid=admin,ou=system</Property> <Property name="ConnectionPassword">admin</Property> <Property name="passwordHashMethod">SHA</Property> <Property name="UserNameListFilter">(objectClass=person)</Property> <Property name="UserEntryObjectClass">wso2Person</Property> <Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property> <Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property> <Property name="UserNameAttribute">uid</Property> <Property name="PasswordJavaScriptRegEx">[\\S]{5,30}</Property> <Property name="UsernameJavaScriptRegEx">[\\S]{3,30}</Property> <Property name="UsernameJavaRegEx">^[^~!@#$;%^*+={}\\|\\\\<>]{3,30}$</Property> <Property name="RolenameJavaScriptRegEx">[\\S]{3,30}</Property> <Property name="RolenameJavaRegEx">^[^~!@#$;%^*+={}\\|\\\\<>]{3,30}$</Property> <Property name="ReadLDAPGroups">true</Property> <Property name="WriteLDAPGroups">true</Property> <Property name="EmptyRolesAllowed">true</Property> <Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property> <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property> <Property name="GroupEntryObjectClass">groupOfNames</Property> <Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property> <Property name="GroupNameAttribute">cn</Property> <Property name="MembershipAttribute">member</Property> <Property name="UserRolesCacheEnabled">true</Property> </UserStoreManager--> <!-- Following is the configuration for internal JDBC user store. This user store manager is based on JDBC. In case if application needs to manage passwords externally set property <Property name="PasswordsExternallyManaged">true</Property>. Furthermore properties, IsEmailUserName and DomainCalculation are readonly properties. Note: Do not comment within UserStoreManager tags. Cause, specific tag names are used as tokens when building configurations for products. --> <!--UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager"> <Property name="ReadOnly">false</Property> <Property name="MaxUserNameListLength">100</Property> <Property name="IsEmailUserName">false</Property> <Property name="DomainCalculation">default</Property> <Property name="PasswordDigest">SHA-256</Property> <Property name="StoreSaltedPassword">true</Property> <Property name="UserNameUniqueAcrossTenants">false</Property> <Property name="PasswordJavaRegEx">[\S]{5,30}$</Property> <Property name="PasswordJavaScriptRegEx">[\\S]{5,30}</Property> <Property name="UsernameJavaRegEx">^[^~!@#$;%^*+={}\\|\\\\<>]{3,30}$</Property> <Property name="UsernameJavaScriptRegEx">[\\S]{3,30}</Property> <Property name="RolenameJavaRegEx">^[^~!@#$;%^*+={}\\|\\\\<>]{3,30}$</Property> <Property name="RolenameJavaScriptRegEx">[\\S]{3,30}</Property> <Property name="UserRolesCacheEnabled">true</Property> </UserStoreManager--> <!-- If product is using an external LDAP as the user store in read only mode, use following user manager --> <!--UserStoreManager class="org.wso2.carbon.user.core.ldap.LDAPUserStoreManager"> <Property name="ReadOnly">true</Property> <Property name="MaxUserNameListLength">100</Property> <Property name="ConnectionURL">ldap://localhost:10389</Property> <Property name="ConnectionName">uid=admin,ou=system</Property> <Property name="ConnectionPassword">admin</Property> <Property name="UserSearchBase">ou=system</Property> <Property name="UserNameListFilter">(objectClass=person)</Property> <Property name="UserNameAttribute">uid</Property> <Property name="ReadLDAPGroups">false</Property> <Property name="GroupSearchBase">ou=system</Property> <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property> <Property name="GroupNameAttribute">cn</Property> <Property name="MembershipAttribute">member</Property> <Property name="UserRolesCacheEnabled">true</Property> <Property name="ReplaceEscapeCharactersAtUserLogin">true</Property> </UserStoreManager--> <!-- Active directory configuration is as follows. This only operates under read mode. There are few special properties for "Active Directory" They are 1.Referral - This enables LDAP referral support. 2.BackLinksEnabled - In some cases LDAP works with BackLinksEnabled. In which role is stored at user level. Depending on this value we need to change the Search Base within code. --> <!--UserStoreManager class="org.wso2.carbon.user.core.ldap.LDAPUserStoreManager"> <Property name="ReadOnly">true</Property> <Property name="MaxUserNameListLength">100</Property> <Property name="ConnectionURL">ldap://10.100.1.211:389</Property> <Property name="ConnectionName">cn=Administrator,cn=users,dc=wso2,dc=lk</Property> <Property name="ConnectionPassword">admin123</Property> <Property name="UserSearchBase">cn=users,dc=wso2,dc=lk</Property> <Property name="UserNameListFilter">(objectClass=person)</Property> <Property name="UserNameAttribute">sAMAccountName</Property> <Property name="ReadLDAPGroups">true</Property> <Property name="GroupSearchBase">cn=users,dc=wso2,dc=lk</Property> <Property name="GroupNameListFilter">(objectcategory=group)</Property> <Property name="GroupNameAttribute">cn</Property> <Property name="MemberOfAttribute">memberOf</Property> <Property name="Referral">follow</Property> <Property name="UserRolesCacheEnabled">true</Property> <Property name="BackLinksEnabled">true</Property> </UserStoreManager --> <!-- If product is using an external LDAP as the user store in read/write mode, use following user manager --> <!--UserStoreManager class="org.wso2.carbon.user.core.ldap.ApacheDSUserStoreManager"> <Property name="ReadOnly">false</Property> <Property name="ConnectionURL">ldap://localhost:10389</Property> <Property name="ConnectionName">uid=admin,ou=system</Property> <Property name="ConnectionPassword">secret</Property> <Property name="passwordHashMethod">SHA</Property> <Property name="UserNameListFilter">(objectClass=person)</Property> <Property name="UserEntryObjectClass">inetOrgPerson</Property> <Property name="UserSearchBase">ou=system</Property> <Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property> <Property name="UserNameAttribute">uid</Property> <Property name="PasswordJavaScriptRegEx">[\\S]{5,30}</Property> <Property name="ReadLDAPGroups">true</Property> <Property name="WriteLDAPGroups">true</Property> <Property name="EmptyRolesAllowed">false</Property> <Property name="GroupSearchBase">ou=system</Property> <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property> <Property name="GroupEntryObjectClass">groupOfNames</Property> <Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property> <Property name="GroupNameAttribute">cn</Property> <Property name="MembershipAttribute">member</Property> <Property name="UserRolesCacheEnabled">true</Property> <Property name="ReplaceEscapeCharactersAtUserLogin">true</Property> </UserStoreManager--> <!-- Following user manager is used by Identity Server (IS) as its default user manager. IS will do token replacement when building the product. Therefore do not change the syntax. If "kdcEnabled" parameter is true, IS will allow service principle management. Thus "ServicePasswordJavaRegEx", "ServiceNameJavaRegEx" properties control the service name format and service password formats. --> <UserStoreManager class="org.wso2.carbon.user.core.ldap.ApacheDSUserStoreManager"> <Property name="defaultRealmName">WSO2.ORG</Property> <Property name="kdcEnabled">true</Property> <Property name="ReadOnly">false</Property> <Property name="ConnectionURL">ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}</Property> <Property name="ConnectionName">uid=admin,ou=system</Property> <Property name="ConnectionPassword">admin</Property> <Property name="passwordHashMethod">SHA</Property> <Property name="UserNameListFilter">(objectClass=person)</Property> <Property name="UserEntryObjectClass">wso2Person</Property> <Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property> <Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property> <Property name="UserNameAttribute">uid</Property> <Property name="PasswordJavaScriptRegEx">[\\S]{5,30}</Property> <Property name="ServicePasswordJavaRegEx">[\\S]{5,30}</Property> <Property name="ServiceNameJavaRegEx">[\\S]{2,30}/[\\S]{2,30}</Property> <Property name="UsernameJavaScriptRegEx">[\\S]{3,30}</Property> <Property name="UsernameJavaRegEx">^[^~!@#$;%^*+={}\\|\\\\<>]{3,30}$</Property> <Property name="RolenameJavaScriptRegEx">[\\S]{3,30}</Property> <Property name="RolenameJavaRegEx">^[^~!@#$;%^*+={}\\|\\\\<>]{3,30}$</Property> <Property name="ReadLDAPGroups">true</Property> <Property name="WriteLDAPGroups">true</Property> <Property name="EmptyRolesAllowed">true</Property> <Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property> <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property> <Property name="GroupEntryObjectClass">groupOfNames</Property> <Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property> <Property name="GroupNameAttribute">cn</Property> <Property name="MembershipAttribute">member</Property> <Property name="UserRolesCacheEnabled">true</Property> </UserStoreManager> <AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager"> <Property name="AdminRoleManagementPermissions">/permission</Property> <!-- Uncommenting the following element will enable the periodically running permission update task. It is disabled by default. --> <!-- <Property name="UpdatePermissionTreePeriodically">true</Property> --> </AuthorizationManager> </Realm> </UserManager> <!--*******Description of some of the configuration properties used in user-mgt.xml********************************* UserRolesCacheEnabled - This is to indicate whether to cache role list of a user. By default it is set to true. You may need to disable it if user-roles are changed by external means and need to reflect those changes in the carbon product immediately. ReplaceEscapeCharactersAtUserLogin - This is to configure whether escape characters in user name needs to be replaced at user login. Currently the identified escape characters that needs to be replaced are '\' & '\\' -->
krb.conf
Description: Binary data
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
