JNDI Realm and GSSAPI problems with TC 7

[Hendrik Dev <he...@gmail.com>]

Hi,

i have a few questions about the JNDIRealm, GSSAPI (Kerberos 5 mech)
authentication and the SPNEGO Authenticator Valve in TC 7.0.47:

Preface: In the docs SPNEGO Authenticator Valve/JNDIRealm is called
"30) Windows Authentication" but i guess its not only working for
windows? I see no code which is explicitly tied to windows or active
directory so i assume its also working for Linux/MIT Kerberos/OpenLDAP
setup, is this true?

What i try to achieve is that the JNDIRealm will use the user's (
which is authenticated by the spnego valve) delegated credentials to
connect to the LDAP server and then query the roles to which the users
belongs to. This is not working for me for two reasons:

1) JndiRealm tries initially on startup to make a connection to the
LDAP server which makes no sense because there are no GSSAPI
credentials yet -> JndiRealm.startInternal() (Line 2225)

2) After temporarily solving issue 1) the JNDI Realm prompt me for
username and password. This seems to be originating from the SASL
Client default callback. I tried to register my own callbackhandler
(setting java.naming.security.sasl.callback) but it’s ignored.
Inspecting the code of JNDIRealm.java it seems that such a scenario is
not indented but the docs argue the converse
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Tomcat_instance

Any help is appreciated.

Thanks
Hendrik

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: [OT] JNDI Realm and GSSAPI problems with TC 7

[Mark Thomas <ma...@apache.org>]

"André Warnier" <aw...@ice-sa.com> wrote:
>Mark Thomas wrote:
>...
>
>> 
>> It *should* work with those but it has only been tested with:
>> - Windows domain controller
>> - Windows client
>> - Tomcat running on Windows Server
>> - Tomcat running on Ubuntu Server
>> 
>..
>Ah ! To my knowledge, this is the first indication *ever* that this
>also works on 
>Unix/Linux Tomcat hosts.
>
>The page at 
>http://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Built-in_Tomcat_support
>does not say this, and the language used strongly tends to suggest that
>it works under 
>Windows (as a Tomcat host), and never actually mentions any other OS.

It has worked since the day the feature was added but I only found the time to test it to confirm it works this week. The docs were updated in svn a few days ago and will be included in the next 7.0.x and 8.0.x releases.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: [OT] JNDI Realm and GSSAPI problems with TC 7

[André Warnier <aw...@ice-sa.com>]

Mark Thomas wrote:
...

> 
> It *should* work with those but it has only been tested with:
> - Windows domain controller
> - Windows client
> - Tomcat running on Windows Server
> - Tomcat running on Ubuntu Server
> 
..
Ah ! To my knowledge, this is the first indication *ever* that this also works on 
Unix/Linux Tomcat hosts.

The page at 
http://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Built-in_Tomcat_support
does not say this, and the language used strongly tends to suggest that it works under 
Windows (as a Tomcat host), and never actually mentions any other OS.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: JNDI Realm and GSSAPI problems with TC 7

[Mark Thomas <ma...@apache.org>]

On 05/12/2013 14:48, Hendrik Dev wrote:
> Hi,
> 
> i have a few questions about the JNDIRealm, GSSAPI (Kerberos 5 mech)
> authentication and the SPNEGO Authenticator Valve in TC 7.0.47:
> 
> Preface: In the docs SPNEGO Authenticator Valve/JNDIRealm is called
> "30) Windows Authentication" but i guess its not only working for
> windows? I see no code which is explicitly tied to windows or active
> directory so i assume its also working for Linux/MIT Kerberos/OpenLDAP
> setup, is this true?

It *should* work with those but it has only been tested with:
- Windows domain controller
- Windows client
- Tomcat running on Windows Server
- Tomcat running on Ubuntu Server

The remainder of my reply is based on a combination of reading the
source and what I recall of my intentions when I implemented the SPNEGO
support rather than actual testing.

> What i try to achieve is that the JNDIRealm will use the user's (
> which is authenticated by the spnego valve) delegated credentials to
> connect to the LDAP server and then query the roles to which the users
> belongs to. This is not working for me for two reasons:
> 
> 1) JndiRealm tries initially on startup to make a connection to the
> LDAP server which makes no sense because there are no GSSAPI
> credentials yet -> JndiRealm.startInternal() (Line 2225)

Either the directory will need to allow anonymous bind or you'll need to
define a user with minimal privs and provide the appropriate user name
and password in the connectionName and connectionPassword attributes.

> 2) After temporarily solving issue 1)
How?

> the JNDI Realm prompt me for username and password.
Do you mean Tomcat tells your browser to display the BASIC auth password
dialog? Or do you mean something else? What are the HTTP headers at this
point?

> This seems to be originating from the SASL Client default callback.
What are you basing that statement on?

> I tried to register my own callbackhandler
> (setting java.naming.security.sasl.callback) but it’s ignored.
What did you set this to?

> Inspecting the code of JNDIRealm.java it seems that such a scenario is
> not indented
I assume you mean intended here.

Take another look at the getPrincipal(DirContext, String, GSSCredential)
method. Keep in mind that the SPNEGO authenticator is a little different
in that it doesn't obtain the username and credentials for a Realm to
validate. The SPNEGO authenticator provides an authenticated user and
their associated credentials. The Realms simply use the authenticated
user without further validation.

> but the docs argue the converse
> http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Tomcat_instance
The default behaviour with the JNDIRealm is to use the authenticated
client's credentials to obtain the roles.

> Any help is appreciated.
A good place to start would be for you to provide us with some
configuration details. The behaviour you seem to be aiming for is
supported and very close to the default. At this point this looks like a
configuration error but we can't help much if we can't see the
configuration.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org