[
https://issues.apache.org/jira/browse/DIRAPI-350?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16883190#comment-16883190
]
Charles Hedrick commented on DIRAPI-350:
----------------------------------------
I say in the documentation that credentials must be in a file. KEYRING and KCM
don't work. It appears that if you use the native libraries they may work.
However if you do that, either extra code is required, or
javax.security.auth.useSubjectCredsOnly must be false. Kirby explicitly sets it
true. I don't know whether it's right to set it true or not, since the
consequences may depend upon the Java implementation.
> gssapi documentation
> --------------------
>
> Key: DIRAPI-350
> URL: https://issues.apache.org/jira/browse/DIRAPI-350
> Project: Directory Client API
> Issue Type: Documentation
> Affects Versions: 2.0.0.AM4
> Reporter: Charles Hedrick
> Priority: Major
> Attachments: gssapi.rtf
>
>
> In the section on authentication, there is no usable documentation for
> GSSAPI. Since GSSAPI is mostly used for Kerberos, you need sample code. Here
> is some that works.
> First, non-trivial Kerberos authentication requires configuration. Creating a
> Kerberos configuration is not well documented elsewhere, so we include here
> sample code. It is possible to put configuration information in a JAAS login
> configuration file as well, but doing it programmatically provides more
> flexibiity for appications that need to use more than one principal.
> {code:java}
> import javax.security.auth.login.Configuration;
> class KerberosConfiguration extends Configuration {
> private String cc;
> public KerberosConfiguration(String cc) {
> this.cc = cc;
> }
> @Override
> public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
> Map<String, String> options = new HashMap<String, String>();
> options.put("useKeyTab", "true");
> try {
> options.put("principal", "host/" +
> InetAddress.getLocalHost().getCanonicalHostName() + "@MYKERBOSDOMAIN");
> } catch (Exception e){
> System.out.println("Can't find our hostname " + e);
> }
> options.put("refreshKrb5Config", "true");
> options.put("keyTab", "/etc/krb5.keytab");
> options.put("debug", "true");
> return new AppConfigurationEntry[]{
> new
> AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
>
> AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
> options),};
> }
> }
> public KerberosConfiguration makeKerberosConfiguration(String cc) {
> return new KerberosConfiguration(cc);
> }
> {code}
>
> makeKerberosConfiguration(null) will return the configuration object needed
> for GSSAPI. The options in this example authenticate the host, based on
> /etc/krb5.keytab. Other options are documented in the Java documentation for
> the class Krb5LoginModule. Note that if you are going to use user
> credentials, they should be stored in a file, not KEYRING or KCM.
>
> The following code uses a configuration generated with the code above to do a
> GSSAPI SASL bind. The assumption is that ldapNetworkConnection has already
> been opened using connect
> {code:java}
> Configuration sconfig = makeKerberosConfiguration(null);
> SaslGssApiRequest saslGssApiRequestt = new SaslGssApiRequest();
> saslGssApiRequest.setLoginModuleConfiguration( sconfig);
> saslGssApiRequest.setLoginContextName(
> "org.apache.directory.ldap.client.api.SaslGssApiRequest" );
> saslGssApiRequest.setMutualAuthentication( false );
>
> BindResponse br;
>
> try {
> br = ldapNetworkConnection.bind( saslGssApiRequest );
> ldapNetworkConnection.startTls();
> } catch ( LdapException e ) {
> e.printStackTrace();
> }
> {code}
> At this point you can do search or other operations.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org
