Hi all,
after a while without blog, I'm back with (I hope) interesting stuff. How to perform LDAP request to an Active Directory server with Kerberos Authentication.
There the (ugly) code adapted from some examples :
MyLdap.java
import javax.naming.InitialContext; import javax.naming.NamingException; import javax.naming.NameAlreadyBoundException; import javax.naming.directory.*; import java.util.*; import javax.security.auth.*; import javax.security.auth.callback.*; import javax.security.auth.login.*; import com.sun.security.auth.callback.TextCallbackHandler; public class MyLdap { public static Subject authenticate () { // Obtain a LoginContext, needed for authentication. Tell it // to use the LoginModule implementation specified by the // entry named "JaasSample" in the JAAS login configuration // file and to also use the specified CallbackHandler. LoginContext lc = null; Subject subject = null; try { lc = new LoginContext("JaasSample", new TextCallbackHandler()); } catch (LoginException le) { System.err.println("Cannot create LoginContext. " + le.getMessage()); System.exit(1); } catch (SecurityException se) { System.err.println("Cannot create LoginContext. " + se.getMessage()); System.exit(1); } try { // attempt authentication lc.login(); } catch (LoginException le) { System.err.println("Authentication failed: " + le.getMessage()); System.exit(1); } return lc.getSubject(); } public static void main( String[] args ) { Subject subject; subject = authenticate(); subject.doAs(subject, new TestLdap(args)); } }
TestLdap.java
import javax.naming.*; import javax.naming.directory.*; import javax.security.auth.login.*; import javax.security.auth.Subject; import java.util.*; public class TestLdap implements java.security.PrivilegedAction { private String[] args; final static String ldapServerName = "srvfms-5.fimasys.fr"; final static String rootContext = "ou=Fimasys,dc=fimasys,dc=fr"; public TestLdap (String[] args) { }; public Object run() { Properties env = new Properties(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, "ldap://" + ldapServerName + "/" + rootContext); env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI"); try { DirContext ctx = new InitialDirContext(env); Attributes attrs = ctx.getAttributes("cn=Anthony Barbe, ou=support"); System.out.println(attrs); } catch (Exception e) { System.out.println("Exception: " + e.toString()); } return null; } }
~/.java.login.security
JaasSample { com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true debug=false; };
/etc/krb5.conf
[libdefaults] default_realm = FIMASYS.FR krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } [realms] FIMASYS.FR = { kdc = srvfms-5.fimasys.fr admin_server = srvfms-5.fimasys.fr } ASYD.NET = { kdc = kdc.asyd.net admin_server = kdc.asyd.net } [domain_realm] .fimasys.fr = FIMASYS.FR [login] krb4_convert = true krb4_get_tickets = true