You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by ka...@apache.org on 2013/02/06 19:19:39 UTC
svn commit: r1443107 [6/6] - in /directory/apacheds/trunk:
interceptor-kerberos/src/main/java/org/apache/directory/server/core/kerberos/
kerberos-codec/
kerberos-codec/src/main/java/org/apache/directory/server/kerberos/changepwd/
kerberos-codec/src/mai...
Modified: directory/apacheds/trunk/server-config/src/main/java/org/apache/directory/server/config/beans/KdcServerBean.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/server-config/src/main/java/org/apache/directory/server/config/beans/KdcServerBean.java?rev=1443107&r1=1443106&r2=1443107&view=diff
==============================================================================
--- directory/apacheds/trunk/server-config/src/main/java/org/apache/directory/server/config/beans/KdcServerBean.java (original)
+++ directory/apacheds/trunk/server-config/src/main/java/org/apache/directory/server/config/beans/KdcServerBean.java Wed Feb 6 18:19:36 2013
@@ -72,57 +72,53 @@ public class KdcServerBean extends DSBas
private static final String DEFAULT_PRINCIPAL = "krbtgt/EXAMPLE.COM@EXAMPLE.COM";
/** The allowable clock skew. */
- @ConfigurationElement(attributeType = "ads-krbAllowableClockSkew", isOptional = true)
+ @ConfigurationElement(attributeType = "ads-krbAllowableClockSkew")
private long krbAllowableClockSkew = DEFAULT_ALLOWABLE_CLOCKSKEW;
/** Whether empty addresses are allowed. */
- @ConfigurationElement(attributeType = "ads-krbEmptyAddressesAllowed", isOptional = true)
+ @ConfigurationElement(attributeType = "ads-krbEmptyAddressesAllowed")
private boolean krbEmptyAddressesAllowed = DEFAULT_EMPTY_ADDRESSES_ALLOWED;
/** Whether forwardable addresses are allowed. */
- @ConfigurationElement(attributeType = "ads-krbForwardableAllowed", isOptional = true)
+ @ConfigurationElement(attributeType = "ads-krbForwardableAllowed")
private boolean krbForwardableAllowed = DEFAULT_TGS_FORWARDABLE_ALLOWED;
/** Whether pre-authentication by encrypted timestamp is required. */
- @ConfigurationElement(attributeType = "ads-krbPAEncTimestampRequired", isOptional = true)
+ @ConfigurationElement(attributeType = "ads-krbPAEncTimestampRequired")
private boolean krbPAEncTimestampRequired = DEFAULT_PA_ENC_TIMESTAMP_REQUIRED;
/** Whether postdated tickets are allowed. */
- @ConfigurationElement(attributeType = "ads-krbPostdatedAllowed", isOptional = true)
+ @ConfigurationElement(attributeType = "ads-krbPostdatedAllowed")
private boolean krbPostdatedAllowed = DEFAULT_TGS_POSTDATED_ALLOWED;
/** Whether proxiable addresses are allowed. */
- @ConfigurationElement(attributeType = "ads-krbProxiableAllowed", isOptional = true)
+ @ConfigurationElement(attributeType = "ads-krbProxiableAllowed")
private boolean krbProxiableAllowed = DEFAULT_TGS_PROXIABLE_ALLOWED;
/** Whether renewable tickets are allowed. */
- @ConfigurationElement(attributeType = "ads-krbRenewableAllowed", isOptional = true)
+ @ConfigurationElement(attributeType = "ads-krbRenewableAllowed")
private boolean krbRenewableAllowed = DEFAULT_TGS_RENEWABLE_ALLOWED;
/** The maximum renewable lifetime. */
- @ConfigurationElement(attributeType = "ads-krbMaximumRenewableLifetime", isOptional = true)
+ @ConfigurationElement(attributeType = "ads-krbMaximumRenewableLifetime")
private long krbMaximumRenewableLifetime = DEFAULT_TGS_MAXIMUM_RENEWABLE_LIFETIME;
/** The maximum ticket lifetime. */
- @ConfigurationElement(attributeType = "ads-krbMaximumTicketLifetime", isOptional = true)
+ @ConfigurationElement(attributeType = "ads-krbMaximumTicketLifetime")
private long krbMaximumTicketLifetime = DEFAULT_TGS_MAXIMUM_TICKET_LIFETIME;
/** The primary realm */
- @ConfigurationElement(attributeType = "ads-krbPrimaryRealm", isOptional = true)
+ @ConfigurationElement(attributeType = "ads-krbPrimaryRealm")
private String krbPrimaryRealm = DEFAULT_REALM;
/** Whether to verify the body checksum. */
- @ConfigurationElement(attributeType = "ads-krbBodyChecksumVerified", isOptional = true)
+ @ConfigurationElement(attributeType = "ads-krbBodyChecksumVerified")
private boolean krbBodyChecksumVerified = DEFAULT_VERIFY_BODY_CHECKSUM;
/** The encryption types. */
- @ConfigurationElement(attributeType = "ads-krbEncryptionTypes", isOptional = true)
+ @ConfigurationElement(attributeType = "ads-krbEncryptionTypes")
private List<String> krbEncryptionTypes = new ArrayList<String>();
- /** The service principal name. */
- @ConfigurationElement(attributeType = "ads-krbKdcPrincipal", isOptional = true)
- private String krbKdcPrincipal = DEFAULT_PRINCIPAL;
-
/**
* Create a new KdcServerBean instance
@@ -366,26 +362,6 @@ public class KdcServerBean extends DSBas
/**
- * Returns the service principal for this KDC service.
- *
- * @return The service principal for this KDC service.
- */
- public KerberosPrincipal getKrbKdcPrincipal()
- {
- return new KerberosPrincipal( krbKdcPrincipal );
- }
-
-
- /**
- * @param krbKdcPrincipal the krbKdcPrincipal to set
- */
- public void setKrbKdcPrincipal( String krbKdcPrincipal )
- {
- this.krbKdcPrincipal = krbKdcPrincipal;
- }
-
-
- /**
* {@inheritDoc}
*/
public String toString( String tabs )
@@ -402,7 +378,7 @@ public class KdcServerBean extends DSBas
sb.append( toString( tabs, " proxiable allowed", krbProxiableAllowed ) );
sb.append( toString( tabs, " renew allowed", krbRenewableAllowed ) );
sb.append( toString( tabs, " allowable clock skew", krbAllowableClockSkew ) );
- sb.append( toString( tabs, " KDC principal", krbKdcPrincipal ) );
+ sb.append( toString( tabs, " KDC principal", "krbtgt/" + krbPrimaryRealm + "@" + krbPrimaryRealm ) );
sb.append( toString( tabs, " maximum renewable lifetime", krbMaximumRenewableLifetime ) );
sb.append( toString( tabs, " maximum ticket lifetime", krbMaximumTicketLifetime ) );
sb.append( toString( tabs, " primary realm", krbPrimaryRealm ) );
Modified: directory/apacheds/trunk/server-config/src/main/resources/config.ldif
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/server-config/src/main/resources/config.ldif?rev=1443107&r1=1443106&r2=1443107&view=diff
==============================================================================
--- directory/apacheds/trunk/server-config/src/main/resources/config.ldif (original)
+++ directory/apacheds/trunk/server-config/src/main/resources/config.ldif Wed Feb 6 18:19:36 2013
@@ -509,13 +509,7 @@ objectclass: ads-dsBasedServer
objectclass: ads-base
objectclass: top
ads-serverid: changePasswordServer
-ads-chgPwdServicePrincipal: kadmin/changepw@EXAMPLE.COM
ads-enabled: FALSE
-ads-krballowableclockskew: 300000
-ads-krbEmptyAddressesAllowed: TRUE
-ads-krbEncryptionTypes: des-cbc-md5
-ads-krbPrimaryRealm: EXAMPLE.COM
-ads-searchBaseDN: ou=users,dc=example,dc=com
dn: ou=transports,ads-serverId=changePasswordServer,ou=servers,ads-directoryServiceId=default,ou=config
ou: transports
@@ -602,9 +596,10 @@ ads-enabled: FALSE
ads-krbAllowableClockSkew: 300000
ads-krbBodyChecksumVerified: TRUE
ads-krbEmptyAddressesAllowed: TRUE
+ads-krbEncryptionTypes: aes128-cts-hmac-sha1-96
+ads-krbEncryptionTypes: des3-cbc-sha1-kd
ads-krbEncryptionTypes: des-cbc-md5
ads-krbForwardableAllowed: TRUE
-ads-krbKdcPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
ads-krbmaximumrenewablelifetime: 604800000
ads-krbMaximumTicketLifetime: 86400000
ads-krbPaEncTimestampRequired: TRUE
Modified: directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/kerberos/KeyDerivationServiceIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/kerberos/KeyDerivationServiceIT.java?rev=1443107&r1=1443106&r2=1443107&view=diff
==============================================================================
--- directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/kerberos/KeyDerivationServiceIT.java (original)
+++ directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/kerberos/KeyDerivationServiceIT.java Wed Feb 6 18:19:36 2013
@@ -56,13 +56,13 @@ import org.apache.directory.server.core.
import org.apache.directory.server.core.integ.FrameworkRunner;
import org.apache.directory.server.core.kerberos.KeyDerivationInterceptor;
import org.apache.directory.server.kerberos.protocol.codec.KerberosDecoder;
-import org.apache.directory.server.kerberos.shared.store.KerberosAttribute;
import org.apache.directory.server.ldap.handlers.bind.cramMD5.CramMd5MechanismHandler;
import org.apache.directory.server.ldap.handlers.bind.digestMD5.DigestMd5MechanismHandler;
import org.apache.directory.server.ldap.handlers.bind.gssapi.GssapiMechanismHandler;
import org.apache.directory.server.ldap.handlers.bind.ntlm.NtlmMechanismHandler;
import org.apache.directory.server.ldap.handlers.bind.plain.PlainMechanismHandler;
import org.apache.directory.server.ldap.handlers.extended.StoredProcedureExtendedOperationHandler;
+import org.apache.directory.shared.kerberos.KerberosAttribute;
import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
import org.apache.directory.shared.kerberos.components.EncryptionKey;
import org.apache.directory.shared.kerberos.exceptions.KerberosException;
Modified: directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/SaslBindIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/SaslBindIT.java?rev=1443107&r1=1443106&r2=1443107&view=diff
==============================================================================
--- directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/SaslBindIT.java (original)
+++ directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/SaslBindIT.java Wed Feb 6 18:19:36 2013
@@ -73,13 +73,14 @@ import org.apache.directory.server.core.
import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
import org.apache.directory.server.core.integ.FrameworkRunner;
import org.apache.directory.server.core.kerberos.KeyDerivationInterceptor;
-import org.apache.directory.server.kerberos.shared.store.KerberosAttribute;
+import org.apache.directory.shared.kerberos.KerberosAttribute;
import org.apache.directory.server.ldap.handlers.bind.cramMD5.CramMd5MechanismHandler;
import org.apache.directory.server.ldap.handlers.bind.digestMD5.DigestMd5MechanismHandler;
import org.apache.directory.server.ldap.handlers.bind.gssapi.GssapiMechanismHandler;
import org.apache.directory.server.ldap.handlers.bind.ntlm.NtlmMechanismHandler;
import org.apache.directory.server.ldap.handlers.bind.plain.PlainMechanismHandler;
import org.apache.directory.server.ldap.handlers.extended.StoredProcedureExtendedOperationHandler;
+import org.apache.directory.shared.kerberos.KerberosAttribute;
import org.junit.Ignore;
import org.junit.Rule;
import org.junit.Test;
@@ -503,6 +504,8 @@ public class SaslBindIT extends Abstract
Dn userDn = new Dn( "uid=hnelson,ou=users,dc=example,dc=com" );
LdapNetworkConnection connection = new LdapNetworkConnection( "localhost", getLdapServer().getPort() );
+ kdcServer.getConfig().setPaEncTimestampRequired( false );
+
GssApiRequest request = new GssApiRequest();
request.setUsername( userDn.getRdn().getValue().getString() );
request.setCredentials( "secret" );
Modified: directory/apacheds/trunk/service-builder/src/main/java/org/apache/directory/server/config/builder/ServiceBuilder.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/service-builder/src/main/java/org/apache/directory/server/config/builder/ServiceBuilder.java?rev=1443107&r1=1443106&r2=1443107&view=diff
==============================================================================
--- directory/apacheds/trunk/service-builder/src/main/java/org/apache/directory/server/config/builder/ServiceBuilder.java (original)
+++ directory/apacheds/trunk/service-builder/src/main/java/org/apache/directory/server/config/builder/ServiceBuilder.java Wed Feb 6 18:19:36 2013
@@ -49,6 +49,7 @@ import org.apache.directory.server.confi
import org.apache.directory.server.config.beans.AuthenticatorBean;
import org.apache.directory.server.config.beans.AuthenticatorImplBean;
import org.apache.directory.server.config.beans.ChangeLogBean;
+import org.apache.directory.server.config.beans.ChangePasswordServerBean;
import org.apache.directory.server.config.beans.DelegatingAuthenticatorBean;
import org.apache.directory.server.config.beans.DirectoryServiceBean;
import org.apache.directory.server.config.beans.ExtendedOpHandlerBean;
@@ -91,6 +92,9 @@ import org.apache.directory.server.core.
import org.apache.directory.server.core.partition.impl.btree.jdbm.JdbmRdnIndex;
import org.apache.directory.server.integration.http.HttpServer;
import org.apache.directory.server.integration.http.WebApp;
+import org.apache.directory.server.kerberos.ChangePasswordConfig;
+import org.apache.directory.server.kerberos.KerberosConfig;
+import org.apache.directory.server.kerberos.changepwd.ChangePasswordServer;
import org.apache.directory.server.kerberos.kdc.KdcServer;
import org.apache.directory.server.ldap.ExtendedOperationHandler;
import org.apache.directory.server.ldap.LdapServer;
@@ -652,75 +656,89 @@ public class ServiceBuilder
* @return Instance of KdcServer
* @throws org.apache.directory.api.ldap.model.exception.LdapException
*/
- public static KdcServer createKdcServer( KdcServerBean kdcServerBean, DirectoryService directoryService )
- throws LdapException
+ public static KdcServer createKdcServer( DirectoryServiceBean directoryServiceBean, DirectoryService directoryService ) throws LdapException
{
+ KdcServerBean kdcServerBean = directoryServiceBean.getKdcServerBean();
+
// Fist, do nothing if the KdcServer is disabled
if ( ( kdcServerBean == null ) || kdcServerBean.isDisabled() )
{
return null;
}
- KdcServer kdcServer = new KdcServer();
-
- kdcServer.setDirectoryService( directoryService );
- kdcServer.setEnabled( true );
-
- kdcServer.setDirectoryService( directoryService );
-
- // The ID
- kdcServer.setServiceId( kdcServerBean.getServerId() );
-
+ KerberosConfig kdcConfig = new KerberosConfig();
+
// AllowableClockSkew
- kdcServer.setAllowableClockSkew( kdcServerBean.getKrbAllowableClockSkew() );
-
+ kdcConfig.setAllowableClockSkew( kdcServerBean.getKrbAllowableClockSkew() );
+
// BodyChecksumVerified
- kdcServer.setBodyChecksumVerified( kdcServerBean.isKrbBodyChecksumVerified() );
-
- // CatalogBased
- //kdcServer.setCatelogBased( kdcServerBean.is );
-
+ kdcConfig.setBodyChecksumVerified( kdcServerBean.isKrbBodyChecksumVerified() );
+
// EmptyAddressesAllowed
- kdcServer.setEmptyAddressesAllowed( kdcServerBean.isKrbEmptyAddressesAllowed() );
-
+ kdcConfig.setEmptyAddressesAllowed( kdcServerBean.isKrbEmptyAddressesAllowed() );
+
// EncryptionType
EncryptionType[] encryptionTypes = createEncryptionTypes( kdcServerBean.getKrbEncryptionTypes() );
- kdcServer.setEncryptionTypes( encryptionTypes );
-
+ kdcConfig.setEncryptionTypes( encryptionTypes );
+
// ForwardableAllowed
- kdcServer.setForwardableAllowed( kdcServerBean.isKrbForwardableAllowed() );
-
+ kdcConfig.setForwardableAllowed( kdcServerBean.isKrbForwardableAllowed() );
+
// KdcPrincipal
- kdcServer.setKdcPrincipal( kdcServerBean.getKrbKdcPrincipal().toString() );
-
+ kdcConfig.setServicePrincipal( "krbtgt/" + kdcServerBean.getKrbPrimaryRealm() + "@" + kdcServerBean.getKrbPrimaryRealm() );
+
// MaximumRenewableLifetime
- kdcServer.setMaximumRenewableLifetime( kdcServerBean.getKrbMaximumRenewableLifetime() );
-
+ kdcConfig.setMaximumRenewableLifetime( kdcServerBean.getKrbMaximumRenewableLifetime() );
+
// MaximumTicketLifetime
- kdcServer.setMaximumTicketLifetime( kdcServerBean.getKrbMaximumTicketLifetime() );
-
+ kdcConfig.setMaximumTicketLifetime( kdcServerBean.getKrbMaximumTicketLifetime() );
+
// PaEncTimestampRequired
- kdcServer.setPaEncTimestampRequired( kdcServerBean.isKrbPaEncTimestampRequired() );
-
+ kdcConfig.setPaEncTimestampRequired( kdcServerBean.isKrbPaEncTimestampRequired() );
+
// PostdatedAllowed
- kdcServer.setPostdatedAllowed( kdcServerBean.isKrbPostdatedAllowed() );
-
+ kdcConfig.setPostdatedAllowed( kdcServerBean.isKrbPostdatedAllowed() );
+
// PrimaryRealm
- kdcServer.setPrimaryRealm( kdcServerBean.getKrbPrimaryRealm() );
-
+ kdcConfig.setPrimaryRealm( kdcServerBean.getKrbPrimaryRealm() );
+
// ProxiableAllowed
- kdcServer.setProxiableAllowed( kdcServerBean.isKrbProxiableAllowed() );
+ kdcConfig.setProxiableAllowed( kdcServerBean.isKrbProxiableAllowed() );
// RenewableAllowed
- kdcServer.setRenewableAllowed( kdcServerBean.isKrbRenewableAllowed() );
-
+ kdcConfig.setRenewableAllowed( kdcServerBean.isKrbRenewableAllowed() );
+
// searchBaseDn
- kdcServer.setSearchBaseDn( kdcServerBean.getSearchBaseDn().getName() );
+ kdcConfig.setSearchBaseDn( kdcServerBean.getSearchBaseDn().getName() );
+
+ KdcServer kdcServer = new KdcServer( kdcConfig );
+
+ kdcServer.setDirectoryService( directoryService );
+ kdcServer.setEnabled( true );
+
+ // The ID
+ kdcServer.setServiceId( kdcServerBean.getServerId() );
// The transports
Transport[] transports = createTransports( kdcServerBean.getTransports() );
kdcServer.setTransports( transports );
+ ChangePasswordServerBean changePasswordServerBean = directoryServiceBean.getChangePasswordServerBean();
+
+ // Fist, do nothing if the ChangePasswordServer is disabled
+ if ( ( changePasswordServerBean != null ) && !changePasswordServerBean.isDisabled() )
+ {
+ ChangePasswordServer changePasswordServer = new ChangePasswordServer( new ChangePasswordConfig( kdcConfig ) );
+ changePasswordServer.setEnabled( true );
+ changePasswordServer.setDirectoryService( directoryService );
+
+ // Transports
+ Transport[] chngPwdTransports = createTransports( changePasswordServerBean.getTransports() );
+ changePasswordServer.setTransports( chngPwdTransports );
+
+ kdcServer.setChangePwdServer( changePasswordServer );
+ }
+
return kdcServer;
}
Modified: directory/apacheds/trunk/service/src/main/java/org/apache/directory/server/ApacheDsService.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/service/src/main/java/org/apache/directory/server/ApacheDsService.java?rev=1443107&r1=1443106&r2=1443107&view=diff
==============================================================================
--- directory/apacheds/trunk/service/src/main/java/org/apache/directory/server/ApacheDsService.java (original)
+++ directory/apacheds/trunk/service/src/main/java/org/apache/directory/server/ApacheDsService.java Wed Feb 6 18:19:36 2013
@@ -58,7 +58,6 @@ import org.apache.directory.server.confi
import org.apache.directory.server.config.beans.ConfigBean;
import org.apache.directory.server.config.beans.DirectoryServiceBean;
import org.apache.directory.server.config.beans.HttpServerBean;
-import org.apache.directory.server.config.beans.KdcServerBean;
import org.apache.directory.server.config.beans.LdapServerBean;
import org.apache.directory.server.config.beans.NtpServerBean;
import org.apache.directory.server.config.builder.ServiceBuilder;
@@ -195,7 +194,7 @@ public class ApacheDsService
//startChangePwd( directoryServiceBean.getChangePasswordServerBean(), directoryService );
// start the Kerberos server
- startKerberos( directoryServiceBean.getKdcServerBean(), directoryService );
+ startKerberos( directoryServiceBean, directoryService );
// start the jetty http server
startHttpServer( directoryServiceBean.getHttpServerBean(), directoryService );
@@ -462,12 +461,12 @@ public class ApacheDsService
/**
* start the KERBEROS server
*/
- private void startKerberos( KdcServerBean kdcServerBean, DirectoryService directoryService ) throws Exception
+ private void startKerberos( DirectoryServiceBean directoryServiceBean, DirectoryService directoryService ) throws Exception
{
LOG.info( "Starting the Kerberos server" );
long startTime = System.currentTimeMillis();
- kdcServer = ServiceBuilder.createKdcServer( kdcServerBean, directoryService );
+ kdcServer = ServiceBuilder.createKdcServer( directoryServiceBean, directoryService );
if ( kdcServer == null )
{
@@ -475,6 +474,8 @@ public class ApacheDsService
return;
}
+ LOG.info( "Starting the Kerberos server" );
+
getDirectoryService().startup();
kdcServer.setDirectoryService( getDirectoryService() );