On Wed, Feb 20, 2019 at 2:46 PM Francesco Chicchiriccò <[email protected]> wrote:
> Hi there, > I would like to implement a Kerby-based KDC using LDAP as authentication > back-end. > > I based my code on [1] and [2] and what I have now is a KDC listening on > 8888 which can be queried via standard kinit / klist linux commands. > > The server is initialized as shown in [3]. > > All is fine when I add a principal as follows: > > kadmin.addPrincipal(alice, "alice"); > File keytabFile = new File(workDir + "/alice.keytab"); > kadmin.exportKeytab(keytabFile, alice); > > and then authenticate via > > kinit alice@AD4EI > > and provide "alice" as password. > > I also notice that the user > > uid=alice,ou=People,o=isp > > is created on LDAP, with appropriate object classes but empty password. > > When I set a password on such user on LDAP, different from "alice" > above, I cannot manage kinit to work. > > While looking at LdapIdentityBackend source [4], effectively, I don't > see any code managing user authentication, so maybe I am just doing > something wrong. > > Can you provide some insight? Thanks. > > Regards. > > Side note: why is the Maven artifact ldap-backend depending on Apache > DS? What if one wants to use Kerby with OpenLDAP, for example? > This was a very old implementation started as an example and I guess it wasn't updated after my last commit. (Also there was a plan to replace ApacheDS's kerberos component with Kerby, so integrating and testing with ApacheDS was the first step) But modifying the said backend implementation to use LDAP API is the way to support any LDAP server implementation. > > [1] > > https://github.com/coheigea/testcases/blob/master/apache/bigdata/kerberos/src/test/java/org/apache/coheigea/bigdata/kerberos/storm/StormKerbyTest.java > [2] > > https://github.com/apache/directory-kerby/blob/trunk/kerby-backend/ldap-backend/src/test/java/org/apache/kerby/kerberos/kerb/identity/backend/LdapBackendKdcTest.java > [3] https://paste.apache.org/ep0B > [4] > > https://github.com/apache/directory-kerby/blob/trunk/kerby-backend/ldap-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/LdapIdentityBackend.java > > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail > http://home.apache.org/~ilgrosso/ > > Kiran
