Re: Hints about how to use Kerby with LDAP back-end

Wed, 20 Feb 2019 07:08:52 -0800 

On 20/02/19 15:59, Colm O hEigeartaigh wrote:

Hi Francesco,

I'm not sure if the LDAP Backend is used much, so any issues you run into
are probably more likely to be bugs rather than anything else :-)
I see: so what other back-end I can look at to see how authentication  is performed? 


Contributions welcome of course!


Of course :-)

Regards.


On Wed, Feb 20, 2019 at 2:01 PM Kiran Ayyagari <[email protected]> wrote:


On Wed, Feb 20, 2019 at 2:46 PM Francesco Chicchiriccò <[email protected]> 
wrote:


Hi there,
I would like to implement a Kerby-based KDC using LDAP as authentication
back-end.

I based my code on [1] and [2] and what I have now is a KDC listening on
8888 which can be queried via standard kinit / klist linux commands.

The server is initialized as shown in [3].

All is fine when I add a principal as follows:

              kadmin.addPrincipal(alice, "alice");
              File keytabFile = new File(workDir + "/alice.keytab");
              kadmin.exportKeytab(keytabFile, alice);

and then authenticate via

kinit alice@AD4EI

and provide "alice" as password.

I also notice that the user

uid=alice,ou=People,o=isp

is created on LDAP, with appropriate object classes but empty password.

When I set a password on such user on LDAP, different from "alice"
above, I cannot manage kinit to work.

While looking at LdapIdentityBackend source [4], effectively, I don't
see any code managing user authentication, so maybe I am just doing
something wrong.

Can you provide some insight? Thanks.

Regards.

Side note: why is the Maven artifact ldap-backend depending on Apache
DS? What if one wants to use Kerby with OpenLDAP, for example?


This was a very old implementation started as an example and I guess it
wasn't updated after my last commit.
(Also there was a plan to replace ApacheDS's kerberos component with Kerby,
so integrating and testing with ApacheDS was the first step)

But modifying the said backend implementation to use LDAP API is the way to
support any LDAP server implementation.


[1] 
https://github.com/coheigea/testcases/blob/master/apache/bigdata/kerberos/src/test/java/org/apache/coheigea/bigdata/kerberos/storm/StormKerbyTest.java
[2] 
https://github.com/apache/directory-kerby/blob/trunk/kerby-backend/ldap-backend/src/test/java/org/apache/kerby/kerberos/kerb/identity/backend/LdapBackendKdcTest.java
[3] https://paste.apache.org/ep0B
[4] 
https://github.com/apache/directory-kerby/blob/trunk/kerby-backend/ldap-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/LdapIdentityBackend.java


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply via email to