Here is another good example of java ldap and gssapi and JAAS:
http://code.google.com/p/vt-middleware/wiki/vtldap
The VTLDAP package is used with Shibboleth...
On 6/20/2013 8:19 PM, Zhutiemin wrote:
> Darek:
> Thank you for your reply.
>
> I will check the and Conduct an experiment to test it
>
> I use Krb5LoginModule class to authenticate users using Kerberos protocols
>
> It is defined in the configuration
>
> AdServiceImplForKerberos {
> com.sun.security.auth.module.Krb5LoginModule required client=TRUE
> useTicketCache=FALSE refreshKrb5Config=TRUE;
> };
>
> And I implement the authentication by LoginContext class
>
> The following section of code is a part of the entire project:
>
> LdapContext ctx = null;
>
> Hashtable<String, String> env = new Hashtable<String, String>();
> env.put(Context.INITIAL_CONTEXT_FACTORY,
> "com.sun.jndi.ldap.LdapCtxFactory");
> env.put(Context.PROVIDER_URL, ldapURL);
> env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
> env.put(Context.SECURITY_PRINCIPAL, adminAccount);
> env.put(Context.SECURITY_CREDENTIALS, adminPassword);
> env.put("java.naming.ldap.attributes.binary", "objectSid");
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> String searchFilter = "(CN=" + machineName + ")";
> NamingEnumeration<SearchResult> results =
> ctx.search(changeDomainInfo(domain), searchFilter,
> constraints);
> while (results.hasMoreElements())
> {
> SearchResult searchResult = (SearchResult)results.next();
> Attributes attrs = searchResult.getAttributes();
>
> if (attrs != null)
> {
> Object attValue = attrs.get("objectSid").get();
> return getSIDasStringOfBytes((byte[])attValue);
> }
> }
>
>
> From: Darek [mailto:[email protected]]
> Sent: 2013年6月20日 22:27
> To: Zhutiemin
> Cc: [email protected]
> Subject: Re: Could you help me to resolve the Kerberos error?
>
>> Server not found in Kerberos database
>
> You should make sure that the forward and reverse DNS for your java
> application machine's IP address match, and that the hostname of the system
> is exactly the same as the reverse DNS.
>
> So if your system's IP is 1.2.3.4, a reverse DNS lookup would resolve to
> java.company.com, and the system's hostname would be java.company.com,
>
> On 6/20/2013 1:01 AM, Zhutiemin wrote:
>
> Dear MIT Kerberos Team:
>
>
>
> My name is Tiemin Zhu, I am a software engineer of Huawei corporation .
>
>
>
> I am getting following error with Kerberos Authentication. Could you help me
> to resolve this error?
>
> But the result of LDAP Authentication is OK
>
>
>
> Is this the configuration error in AD?
>
>
>
> Do you have any document I could study?
>
>
>
> Thanks so much!
>
>
>
> This is the error:
>
> [2013-05-25 03:34:01,765]--[ERROR]--[pool-1-thread-39]--[AdServiceImpl.java
> run() 920] - search fail.
>
> javax.naming.AuthenticationException: GSSAPI [Root exception is
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Server not
> found in Kerberos database (7))]]
>
> at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
>
> at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
>
> at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
>
> at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
>
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
>
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
>
> at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
>
> at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
>
> at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
>
> at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
>
> at javax.naming.InitialContext.init(Unknown Source)
>
> at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
>
> at
> com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl$GetSidByIpForPrivilege.run(AdServiceImpl.java:892)
>
> at
> com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl$GetSidByIpForPrivilege.run(AdServiceImpl.java:854)
>
> at java.security.AccessController.doPrivileged(Native Method)
>
> at javax.security.auth.Subject.doAs(Unknown Source)
>
> at
> com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl.getSidByIp(AdServiceImpl.java:824)
>
> at
> com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl.getSidByDomain(AdServiceImpl.java:787)
>
> at
> com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl.getSidByMachineName(AdServiceImpl.java:734)
>
> at
> com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.createInstance(CombineCreateInstanceTask.java:740)
>
> at
> com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.createVm(CombineCreateInstanceTask.java:655)
>
> at
> com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.combineCreateInstance(CombineCreateInstanceTask.java:503)
>
> at
> com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.run(CombineCreateInstanceTask.java:317)
>
> at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
>
> at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
>
> at java.util.concurrent.FutureTask.run(Unknown Source)
>
> at
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(Unknown
> Source)
>
> at
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown
> Source)
>
> at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown
> Source)
>
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
>
> at
> com.huawei.vds.common.utils.threadpool.VDSThreadFactory$Task.run(VDSThreadFactory.java:92)
>
> at java.lang.Thread.run(Unknown Source)
>
> Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Server not
> found in Kerberos database (7))]
>
> at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
>
> ... 32 more
>
> Caused by: GSSException: No valid credentials provided (Mechanism level:
> Server not found in Kerberos database (7))
>
> at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
>
> at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
>
> at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
>
> ... 33 more
>
> Caused by: KrbException: Server not found in Kerberos database (7)
>
> at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
>
> at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
>
> at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown
> Source)
>
> at
> sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
>
> at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
>
> ... 36 more
>
> Caused by: KrbException: Identifier doesn't match expected value (906)
>
> at sun.security.krb5.internal.KDCRep.init(Unknown Source)
>
> at sun.security.krb5.internal.TGSRep.init(Unknown Source)
>
> at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
>
>
>
>
>
> Best regards!
>
>
>
> phone. +86 02989184490
>
> mobile. +86 15249061480
>
> [email protected]<mailto:[email protected]><mailto:[email protected]><mailto:[email protected]>
>
> Tiemin Zhu
>
>
>
>
>
>
>
>
> ________________________________________________
>
> Kerberos mailing list [email protected]<mailto:[email protected]>
>
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
> ________________________________________________
> Kerberos mailing list [email protected]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Douglas E. Engert <[email protected]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos