Hi all,
after a while without blog, I'm back with (I hope) interesting stuff. How to perform LDAP request to an Active Directory server with Kerberos Authentication.
There the (ugly) code adapted from some examples :
MyLdap.java
import javax.naming.InitialContext; import javax.naming.NamingException; import javax.naming.NameAlreadyBoundException; import javax.naming.directory.*; import java.util.*; import javax.security.auth.*; import javax.security.auth.callback.*; import javax.security.auth.login.*; import com.sun.security.auth.callback.TextCallbackHandler; public class MyLdap { public static Subject authenticate () { // Obtain a LoginContext, needed for authentication. Tell it // to use the LoginModule implementation specified by the // entry named "JaasSample" in the JAAS login configuration // file and to also use the specified CallbackHandler. LoginContext lc = null; Subject subject = null; try { lc = new LoginContext("JaasSample", new TextCallbackHandler()); } catch (LoginException le) { System.err.println("Cannot create LoginContext. " + le.getMessage()); System.exit(1); } catch (SecurityException se) { System.err.println("Cannot create LoginContext. " + se.getMessage()); System.exit(1); } try { // attempt authentication lc.login(); } catch (LoginException le) { System.err.println("Authentication failed: " + le.getMessage()); System.exit(1); } return lc.getSubject(); } public static void main( String[] args ) { Subject subject; subject = authenticate(); subject.doAs(subject, new TestLdap(args)); } }
TestLdap.java
import javax.naming.*;
import javax.naming.directory.*;
import javax.security.auth.login.*;
import javax.security.auth.Subject;
import java.util.*;
public class TestLdap implements java.security.PrivilegedAction {
private String[] args;
final static String ldapServerName = "srvfms-5.fimasys.fr";
final static String rootContext = "ou=Fimasys,dc=fimasys,dc=fr";
public TestLdap (String[] args) {
};
public Object run() {
Properties env = new Properties();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://" + ldapServerName + "/" + rootContext);
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
try {
DirContext ctx = new InitialDirContext(env);
Attributes attrs = ctx.getAttributes("cn=Anthony Barbe, ou=support");
System.out.println(attrs);
} catch (Exception e) {
System.out.println("Exception: " + e.toString());
}
return null;
}
}
~/.java.login.security
JaasSample {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true debug=false;
};
/etc/krb5.conf
[libdefaults]
default_realm = FIMASYS.FR
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
[realms]
FIMASYS.FR = {
kdc = srvfms-5.fimasys.fr
admin_server = srvfms-5.fimasys.fr
}
ASYD.NET = {
kdc = kdc.asyd.net
admin_server = kdc.asyd.net
}
[domain_realm]
.fimasys.fr = FIMASYS.FR
[login]
krb4_convert = true
krb4_get_tickets = true