It seems my doubts below depend on my poor knowledge of Kerberos: I have
finally realized that authentication is not performed against the
userPassword LDAP attribute but rather against krb5Key, which is set via
Kadmin during create or update. Cool.
Regards.
On 20/02/19 16:08, Francesco Chicchiriccò wrote:
On 20/02/19 15:59, Colm O hEigeartaigh wrote:
Hi Francesco,
I'm not sure if the LDAP Backend is used much, so any issues you run
into
are probably more likely to be bugs rather than anything else :-)
I see: so what other back-end I can look at to see how authentication
is performed?
Contributions welcome of course!
Of course :-)
Regards.
On Wed, Feb 20, 2019 at 2:01 PM Kiran Ayyagari <kayyag...@apache.org>
wrote:
On Wed, Feb 20, 2019 at 2:46 PM Francesco Chicchiriccò
<ilgro...@apache.org> wrote:
Hi there,
I would like to implement a Kerby-based KDC using LDAP as
authentication
back-end.
I based my code on [1] and [2] and what I have now is a KDC
listening on
8888 which can be queried via standard kinit / klist linux commands.
The server is initialized as shown in [3].
All is fine when I add a principal as follows:
kadmin.addPrincipal(alice, "alice");
File keytabFile = new File(workDir + "/alice.keytab");
kadmin.exportKeytab(keytabFile, alice);
and then authenticate via
kinit alice@AD4EI
and provide "alice" as password.
I also notice that the user
uid=alice,ou=People,o=isp
is created on LDAP, with appropriate object classes but empty
password.
When I set a password on such user on LDAP, different from "alice"
above, I cannot manage kinit to work.
While looking at LdapIdentityBackend source [4], effectively, I don't
see any code managing user authentication, so maybe I am just doing
something wrong.
Can you provide some insight? Thanks.
Regards.
Side note: why is the Maven artifact ldap-backend depending on Apache
DS? What if one wants to use Kerby with OpenLDAP, for example?
This was a very old implementation started as an example and I guess it
wasn't updated after my last commit.
(Also there was a plan to replace ApacheDS's kerberos component with
Kerby,
so integrating and testing with ApacheDS was the first step)
But modifying the said backend implementation to use LDAP API is the
way to
support any LDAP server implementation.
[1]
https://github.com/coheigea/testcases/blob/master/apache/bigdata/kerberos/src/test/java/org/apache/coheigea/bigdata/kerberos/storm/StormKerbyTest.java
[2]
https://github.com/apache/directory-kerby/blob/trunk/kerby-backend/ldap-backend/src/test/java/org/apache/kerby/kerberos/kerb/identity/backend/LdapBackendKdcTest.java
[3] https://paste.apache.org/ep0B
[4]
https://github.com/apache/directory-kerby/blob/trunk/kerby-backend/ldap-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/LdapIdentityBackend.java
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
