Author: erodriguez
Date: Wed Oct 20 06:14:13 2004
New Revision: 55150
Added:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jndi/GssLdapLookupPrototype.java
Log:
Prototype LDAP lookup code, tested against OpenLDAP 2.0.27-8, using SASL
GSSAPI, mutual authentication, and high quality of protection on all traffic.
Added:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jndi/GssLdapLookupPrototype.java
==============================================================================
--- (empty file)
+++
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jndi/GssLdapLookupPrototype.java
Wed Oct 20 06:14:13 2004
@@ -0,0 +1,172 @@
+package org.apache.kerberos.kdc.jndi;
+
+import org.apache.kerberos.crypto.encryption.*;
+import org.apache.kerberos.gss.*;
+import org.apache.kerberos.messages.value.*;
+import org.apache.kerberos.util.*;
+
+import java.security.*;
+import java.util.*;
+
+import javax.naming.*;
+import javax.naming.directory.*;
+import javax.security.auth.*;
+import javax.security.auth.login.*;
+
+/**
+ * Creates an initial context to an LDAP server using SASL-GSSAPI (Kerberos
V5).
+ * Establishes mutual authentication and high quality of protection on all
+ * traffic.
+ */
+class GssLdapLookupPrototype {
+
+ private static String principal = "krbtgt/[EMAIL PROTECTED]";
+ private static String passPhrase = "randkey";
+
+ public static void main(String[] args) {
+
+ Security.setProperty("login.configuration.provider",
+ "org.apache.kerberos.gss.GSSConfiguration");
+
+ // Log in (via Kerberos)
+ LoginContext lc = null;
+ try {
+ lc = new
LoginContext(GssLdapLookupPrototype.class.getName(), new
CallbackHandlerBean(principal,
+ passPhrase));
+ lc.login();
+ } catch (LoginException le) {
+ System.err.println("Authentication attempt failed" +
le);
+ System.exit(-1);
+ }
+
+ String requestingPrincipal = "enrique/[EMAIL PROTECTED]";
+
+ // Perform JNDI work as logged in subject
+ byte[] key = (byte[])Subject.doAs(lc.getSubject(), new
GssLdapLookupAction(requestingPrincipal));
+ System.out.println("Got key: " + TestUtils.byte2hexString(key));
+ }
+}
+
+class GssLdapLookupAction implements PrivilegedAction {
+
+ private String _principal;
+
+ public GssLdapLookupAction(String principal) {
+ _principal = principal;
+ }
+
+ public Object run() {
+ return performJndiOperation();
+ }
+
+ private byte[] performJndiOperation() {
+
+ // Set up environment for initial context
+ Hashtable env = new Hashtable();
+ env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
+ env.put(Context.PROVIDER_URL,
"ldap://ldap.25oz.com:389/dc=25oz,dc=com";);
+ // Request that the key be returned as binary, not String
+ env.put("java.naming.ldap.attributes.binary", "krb5Key");
+ // Request the use of SASL-GSSAPI, using already established
Kerberos credentials
+ env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
+ // Request mutual authentication
+ env.put("javax.security.sasl.server.authentication", "true");
+ // Request authentication with integrity and privacy protection
+ env.put("javax.security.sasl.qop", "auth-conf");
+ // Request high-strength cryptographic protection
+ env.put("javax.security.sasl.strength", "high");
+
+ byte[] key = null;
+ try {
+ DirContext ctx = new InitialDirContext(env);
+
+ key = getAttributes(ctx);
+
+ ctx.close();
+ } catch (NamingException e) {
+ e.printStackTrace();
+ }
+ return key;
+ }
+
+ private byte[] getAttributes(DirContext ctx) {
+
+ byte[] keyBytes = null;
+
+ try {
+ String[] attrIDs = {"sn", "krb5PrincipalName",
"krb5KeyVersionNumber",
+ "krb5EncryptionType", "krb5Key"};
+
+ String name = "cn=Enrique Rodriguez";
+ Attributes attrs = ctx.getAttributes(name, attrIDs);
+
+ System.out.println("sn: " + attrs.get("sn").get());
+ System.out.println("principal: " +
attrs.get("krb5PrincipalName").get());
+ System.out.println("kvno: " +
attrs.get("krb5KeyVersionNumber").get());
+ System.out.println("etype: " +
attrs.get("krb5EncryptionType").get());
+
+ keyBytes = (byte[]) attrs.get("krb5Key").get();
+
+ EncryptionKey key = new
EncryptionKey(EncryptionType.DES_CBC_MD5, keyBytes);
+
+ System.out.println(key + ": " +
key.getKeyValue().length + ": "
+ +
TestUtils.byte2hexString(key.getKeyValue()));
+
+ Attributes matchAttrs = new BasicAttributes(false); //
case-sensitive
+ matchAttrs.put(new BasicAttribute("krb5PrincipalName",
_principal));
+ matchAttrs.put(new BasicAttribute("krb5Key"));
+
+ // Search for objects that have those matching
attributes
+ NamingEnumeration answer = ctx.search("", matchAttrs,
attrIDs);
+
+ // Print the answer
+ printSearchEnumeration(answer);
+
+ ctx.close();
+
+ } catch (NamingException e) {
+ System.err.println("Problem getting attribute: " + e);
+ }
+ return keyBytes;
+ }
+
+ public void printSearchEnumeration(NamingEnumeration enum) {
+ try {
+ while (enum.hasMore()) {
+ SearchResult sr = (SearchResult) enum.next();
+ System.out.println(">>>" + sr.getName());
+ printAttrs(sr.getAttributes());
+ }
+ } catch (NamingException e) {
+ e.printStackTrace();
+ }
+ }
+
+ public void printAttrs(Attributes attrs) {
+ if (attrs == null) {
+ System.out.println("No attributes");
+ } else {
+ /* Print each attribute */
+ try {
+ for (NamingEnumeration ae = attrs.getAll();
ae.hasMore();) {
+ Attribute attr = (Attribute) ae.next();
+ System.out.println("attribute: " +
attr.getID());
+
+ /* print each value */
+ for (NamingEnumeration e =
attr.getAll(); e.hasMore();) {
+ Object next = e.next();
+ if (next instanceof String) {
+
System.out.println("value: " + next);
+ }
+ if (next instanceof byte[]) {
+
System.out.println("value: " + TestUtils.byte2hexString((byte[]) next));
+ }
+ }
+ }
+ } catch (NamingException e) {
+ e.printStackTrace();
+ }
+ }
+ }
+}
+
