Hi all,

after a while without blog, I'm back with (I hope) interesting stuff. How to perform LDAP request to an Active Directory server with Kerberos Authentication.

There the (ugly) code adapted from some examples :

MyLdap.java

import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.naming.NameAlreadyBoundException;
import javax.naming.directory.*;
import java.util.*;
import javax.security.auth.*;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
import com.sun.security.auth.callback.TextCallbackHandler;
 
public class MyLdap {
 
                  public static Subject authenticate () {
 
                                // Obtain a LoginContext, needed for authentication. Tell it
                                // to use the LoginModule implementation specified by the
                                // entry named "JaasSample" in the JAAS login configuration
                                // file and to also use the specified CallbackHandler.
                                LoginContext lc = null;
                                Subject subject = null;
 
                                try {
                                         lc = new LoginContext("JaasSample", new TextCallbackHandler());
 
                                } catch (LoginException le) {
                                         System.err.println("Cannot create LoginContext. "
                                                  + le.getMessage());
                                         System.exit(1);
                                } catch (SecurityException se) {
                                         System.err.println("Cannot create LoginContext. "
                                                  + se.getMessage());
                                         System.exit(1);
                                } 
                                try {
                                         // attempt authentication
                                         lc.login();
                                } catch (LoginException le) {
                                         System.err.println("Authentication failed: " + le.getMessage());
                                         System.exit(1);
                                }
                                return lc.getSubject();
                        }
 
        public static void main( String[] args ) {
                          Subject subject;
 
                          subject = authenticate();
 
                          subject.doAs(subject, new TestLdap(args));
        }
}

TestLdap.java

import javax.naming.*;
import javax.naming.directory.*;
import javax.security.auth.login.*;
import javax.security.auth.Subject;

import java.util.*;

public class TestLdap implements java.security.PrivilegedAction {
        private String[] args;
   final static String ldapServerName = "srvfms-5.fimasys.fr";
   final static String rootContext = "ou=Fimasys,dc=fimasys,dc=fr";

        public TestLdap (String[] args) {
        };

        public Object run() {
                Properties env = new Properties();

                env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
                env.put(Context.PROVIDER_URL, "ldap://" + ldapServerName + "/" + rootContext);
                env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");

                try {
                        DirContext ctx = new InitialDirContext(env);
                        Attributes attrs = ctx.getAttributes("cn=Anthony Barbe, ou=support");
                        System.out.println(attrs);
                } catch (Exception e) {
                        System.out.println("Exception: " + e.toString());
                }
                return null;
        }
}

~/.java.login.security

JaasSample {
  com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true debug=false;
};

/etc/krb5.conf

[libdefaults]
        default_realm = FIMASYS.FR
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }

[realms]
FIMASYS.FR = {
   kdc = srvfms-5.fimasys.fr
        admin_server = srvfms-5.fimasys.fr
}

ASYD.NET = {
        kdc = kdc.asyd.net
        admin_server = kdc.asyd.net
}

[domain_realm]
        .fimasys.fr     = FIMASYS.FR

[login]
        krb4_convert = true
        krb4_get_tickets = true