Charles Hedrick created DIRAPI-350:
--------------------------------------
Summary: gssapi documentation
Key: DIRAPI-350
URL: https://issues.apache.org/jira/browse/DIRAPI-350
Project: Directory Client API
Issue Type: Documentation
Affects Versions: 2.0.0.AM4
Reporter: Charles Hedrick
In the section on authentication, there is no usable documentation for GSSAPI.
Since GSSAPI is mostly used for Kerberos, you need sample code. Here is some
that works.
First, non-trivial Kerberos authentication requires configuration. Creating a
Kerberos configuration is not well documented elsewhere, so we include here
sample code. It is possible to put configuration information in a JAAS login
configuration file as well, but doing it programmatically provides more
flexibiity for appications that need to use more than one principal.
*import* javax.security.auth.login.Configuration;
*class* KerberosConfiguration *extends* Configuration {
*private* String cc;
*public* KerberosConfiguration(String cc) {
*this*.cc = cc;
}
@Override
*public* AppConfigurationEntry[] *getAppConfigurationEntry*(String
name) {
Map<String, String> options = *new* HashMap<String, String>();
options.put("useKeyTab", "true");
*try* {
options.put("principal", "host/" +
InetAddress.getLocalHost().getCanonicalHostName() + "@MYKERBOSDOMAIN");
} *catch* (Exception e){
System.out.println("Can't find our hostname " + e);
}
options.put("refreshKrb5Config", "true");
options.put("keyTab", "/etc/krb5.keytab");
options.put("debug", "true");
*return* *new* AppConfigurationEntry[]{
*new*
AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
options),};
}
}
*public* KerberosConfiguration *makeKerberosConfiguration*(String cc) {
*return* *new* KerberosConfiguration(cc);
}
makeKerberosConfiguration(null) will return the configuration object needed for
GSSAPI. The options in this example authenticate the host, based on
/etc/krb5.keytab. Other options are documented in the Java documentation for
the class Krb5LoginModule. Note that if you are going to use user credentials,
they should be stored in a file, not KEYRING or KCM.
The following code uses a configuration generated with the code above to do a
GSSAPI SASL bind. The assumption is that ldapNetworkConnection has already been
opened using connect
Configuration sconfig = makeKerberosConfiguration(null);
SaslGssApiRequest saslGssApiRequestt = *new* SaslGssApiRequest();
saslGssApiRequest.setLoginModuleConfiguration( sconfig);
saslGssApiRequest.setLoginContextName(
"org.apache.directory.ldap.client.api.SaslGssApiRequest" );
saslGssApiRequest.setMutualAuthentication( false );
BindResponse br;
*try* {
br = ldapNetworkConnection.bind( saslGssApiRequest );
ldapNetworkConnection.startTls();
} *catch* ( LdapException e ) {
e.printStackTrace();
}
At this point you can do search or other operations.
h2.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
