Hi Sergey thanks for your support. We asked the FreeIPA community to see if there are some incorrect configurations[1].
I'll let you know when we have news. Thanks M [1] https://www.redhat.com/archives/freeipa-devel/2014-March/msg00296.html Il giorno 17/mar/2014, alle ore 19:10, Sergey Beryozkin <[email protected]> ha scritto: > Hi > How do you configure it with curl ? > In your opinion, what is the difference between the way you set it up in curl > and in CXF ? > > Cheers, Sergey > > > > On 17/03/14 15:53, Marco Di Sabatino Di Diodoro wrote: >> Hi, >> >> >> Il giorno 15/mar/2014, alle ore 13:38, Andrei Shakirin >> <[email protected] <mailto:[email protected]>> ha scritto: >> >>> Hi Marco, >>> >>> I would suggest to try simple Kerberos login using JAAS directly (with >>> debug=true), perhaps it helps to spot the problem: >>> >>> Test code: >>> URL conf = >>> JaasLoginTest.class.getClassLoader().getResource("jaas.conf"); >>> System.setProperty("java.security.auth.login.config", >>> conf.toString()); >>> >>> // Only needed when not using the ticket cache >>> CallbackHandler callbackHandler = new CallbackHandler() { >>> >>> @Override >>> public void handle(Callback[] callbacks) throws >>> IOException, UnsupportedCallbackException { >>> for (Callback callback : callbacks) { >>> if (callback instanceof NameCallback) { >>> ((NameCallback)callback).setName("alice"); >>> } >>> if (callback instanceof PasswordCallback) { >>> >>> ((PasswordCallback)callback).setPassword("clarinet".toCharArray()); >>> } >>> } >>> >>> } >>> }; >>> >>> try { >>> LoginContext lc = new LoginContext("myContext", >>> callbackHandler); >>> lc.login(); >>> Subject subject = lc.getSubject(); >>> Set<Principal> principals = subject.getPrincipals(); >>> Set<Object> credentials = subject.getPrivateCredentials(); >>> System.out.println("OK: " + principals); >>> System.out.println("OK: " + credentials); >>> } catch (LoginException e) { >>> e.printStackTrace(); >>> } >>> } >>> >>> Jaas.conf: >>> >>> myContext { >>> com.sun.security.auth.module.Krb5LoginModule required >>> debug=true >>> refreshKrb5Config=true >>> useKeyTab=true >>> storeKey=true >>> keyTab="my.keytab" >>> principal="my/services.example.com <http://services.example.com>"; >>> }; >>> >>> If the code works, you will be able to detect what is different with >>> AbstractSpnegoAuthSupplier.getToken() code used from >>> KerberosAuthOutInterceptor.java. >> >> this are krb5kdc.log when needs to connect with cxf to FreeIpa Server: >> >> mar 17 16:03:10 olmo.tirasa.net <http://olmo.tirasa.net> >> krb5kdc[1423](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.176: >> ISSUE: authtime 1395068590, etypes {rep=18 tkt=18 ses=18}, >> [email protected] <mailto:[email protected]> for >> krbtgt/[email protected] <mailto:krbtgt/[email protected]> >> mar 17 16:03:10 olmo.tirasa.net <http://olmo.tirasa.net> >> krb5kdc[1423](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 192.168.0.176: >> ISSUE: authtime 1395068590, etypes {rep=18 tkt=18 ses=18}, >> [email protected] <mailto:[email protected]> for >> ldap/[email protected] <mailto:ldap/[email protected]> >> >> If we run with curl: >> >> mar 17 16:14:06 olmo.tirasa.net <http://olmo.tirasa.net> >> krb5kdc[1423](info): TGS_REQ (1 etypes {18}) 192.168.0.106: ISSUE: >> authtime 1395069156, etypes {rep=18 tkt=18 ses=18}, [email protected] >> <mailto:[email protected]> for krbtgt/[email protected] >> <mailto:krbtgt/[email protected]> >> mar 17 16:14:06 olmo.tirasa.net <http://olmo.tirasa.net> >> krb5kdc[1423](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) >> 192.168.0.106: ISSUE: authtime 1395069156, etypes {rep=18 tkt=18 >> ses=18}, [email protected] <mailto:[email protected]> for >> ldap/[email protected] <mailto:ldap/[email protected]> >> >> I have attached the log file of the test connector. As you can see from >> the log, at the beginning we make a login and after a request to the >> service, but returns a 401. >> >> Thanks >> M >> >> >> >> >>> >>> Regards, >>> Andrei. >>> >>>> -----Original Message----- >>>> From: Marco Di Sabatino Di Diodoro [mailto:[email protected]] >>>> Sent: Freitag, 14. März 2014 17:54 >>>> To: [email protected] <mailto:[email protected]> >>>> Subject: CXF and kerberos authentication >>>> >>>> Hi, >>>> >>>> I'm an PMC member of Apache Syncope[1]. >>>> We are building a new connector bundle for Connid[2] that needs to >>>> connect >>>> with FreeIpa server. >>>> >>>> The connector bundle use JSON-RPC to communicate with the server that is >>>> protected by Kerberos. >>>> We followed this guide >>>> (http://cxf.apache.org/docs/jaxrs-kerberos.html) but the >>>> connector not negotiate with Kerberos >>>> >>>> WebClient wc = WebClient.create("https://olmo.example.com/ipa/json";); >>>> WebClient.getConfig(wc).getHttpConduit().setTlsClientParameters(clientParam >>>> eters()); >>>> AuthorizationPolicy policy = new AuthorizationPolicy(); >>>> policy.setAuthorizationType("Negotiate"); >>>> policy.setAuthorization(KEYTAB_CONF); >>>> KerberosAuthOutInterceptor kbInterceptor = new >>>> KerberosAuthOutInterceptor(); kbInterceptor.setPolicy(policy); >>>> kbInterceptor.setRealm("EXAMPLE.COM <http://EXAMPLE.COM>"); >>>> kbInterceptor.setServicePrincipalName("ldap/olmo.example.com >>>> <http://olmo.example.com>"); >>>> kbInterceptor.setCredDelegation(true); >>>> WebClient.getConfig(wc).getOutInterceptors().add(kbInterceptor); >>>> >>>> I try a lot of other configuration without success, have you any >>>> suggestion? >>>> >>>> If we run with curl it works. >>>> >>>> Regards >>>> M >>>> >>>> [1] http://syncope.apache.org/ >>>> [2] http://tirasa.github.io/ConnId/ >>>> >>>> -- >>>> Dott. Marco Di Sabatino Di Diodoro >>>> Tel. +39 3939065570 >>>> >>>> Tirasa S.r.l. >>>> Viale D'Annunzio 267 - 65127 Pescara >>>> Tel +39 0859116307 / FAX +39 0859111173 >>>> http://www.tirasa.net >>>> >>>> Apache Syncope PMC Member >>>> http://people.apache.org/~mdisabatino/ >>> >> >> -- >> Dott. Marco Di Sabatino Di Diodoro >> Tel. +39 3939065570 >> >> Tirasa S.r.l. >> Viale D'Annunzio 267 - 65127 Pescara >> Tel +39 0859116307 / FAX +39 0859111173 >> http://www.tirasa.net <http://www.tirasa.net/> >> >> Apache Syncope PMC Member >> http://people.apache.org/~mdisabatino/ >> > -- Dott. Marco Di Sabatino Di Diodoro Tel. +39 3939065570 Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 0859111173 http://www.tirasa.net Apache Syncope PMC Member http://people.apache.org/~mdisabatino/
