> Hi folks,
>
> A little background, explaining the Subject:
> We are mostly a Windows Shop; our front-end servers are IIS6/7 running
> C# and ASP.Net applications. Most of the back-ends are JBoss, though.
> Our internal client infrastructure centers around Windows XP
> (Currently migrating to Windows 7) and most of our internal Servers are
> Windows 2003 and Windows 2008.
>
> Microsoft AD plays a central part, and many applications authenticate
> against it. Most of them, unfortunately, via LDAP.
>
> Currently we're running our internal Maven Repository on Archiva (in
> Tomcat), but we're deploying via scp.
> I would like to migrate to Kerberos Authentication and Dav deployment,
> which would enormously reduce the maintenance effort.
> Using Tomcat the migration to Kerberos should be easy and straight
> forward enough. But with the current authentication plugin support, the
> deployment in Maven is going to be a problem.
>
> The only thing I have found which goes remotely in this direction is:
> http://jira.codehaus.org/browse/WAGON-181 which hasn't been touched in
> over 2 years. Wendy suggested it's easy enough to implement, but
> unfortunately my Java (not JEE, Java) experience has gone a bit rusty,
> when in the last ten years I didn't put it to use.
>
> So I'm writing here now, to ask if anyone else has a need for
> GSSAPI/Kerberos in their environment, or maybe even if someone has the
> knowhow and the leisure to implement it.
Hi Igor,
I am in a familiar situation. I an in a huge company and we tend to integrate
the apps into AD as well. I want to deploy Nexus in the near future. It already
supports AD via LDAP but with Basic Auth. No Kerb Support. I found a thread [1]
recently which depicts the situation.
Basically the repo manager has to support Kerberos to validate incoming user
requests, to bind to AD through Kerb and read out the roles.
The client (Maven) has to be able to retrieve the TGT from cache or with a
keytab.
Those are not employed atm. As far as I can see, Nexus has an LDAP realm which
supports AD and its mapping. You can continue to user your Kerberos credential
but without SSO. Signing into AD with Kerberos is a no-brainer in Java, I am
doing this in my webapp all the time.
From my point of view, Kerberos support for Maven is mission critical in
enterprise environments for *all* deployment tasks since SCP/SFTP, SSH and HTTP
support it. But I rephrease, the entire wagon system has to support it for all
transport methods.
Btw, using Kerberos (wrappen in SPNEGO) with URL connections in Java 6 is as
easy as this:
URL url = new URL(url);
URLConnection conn = url.openConnection();
if (conn instanceof HttpURLConnection) {
HttpURLConnection httpConn =
(HttpURLConnection) conn;
httpConn.setRequestMethod(method);
System.out.printf("%d %s%n",
httpConn.getResponseCode(), httpConn
.getResponseMessage());
} else {
System.err.println("The provided url ist not an
http(s) url");
System.exit(1);
}
AND
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="host/${hostname}.ww004.siemens.net" useKeyTab=true
keyTab="/etc/secret.keytab" storeKey=true;
};
You are done ;-)
[1] http://nexus.sonatype.org/mailing-list-user-archives.html#nabble-td24400714
--
Mit freundlichem Gruß / Best regards
Michael Osipov
Siemens AG
Sector Industry, I DT IT LD Bln (Werkstudent)
mailto:[email protected]
