You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by er...@apache.org on 2004/10/20 15:14:14 UTC
svn commit: rev 55150 - incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jndi
Author: erodriguez
Date: Wed Oct 20 06:14:13 2004
New Revision: 55150
Added:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jndi/GssLdapLookupPrototype.java
Log:
Prototype LDAP lookup code, tested against OpenLDAP 2.0.27-8, using SASL GSSAPI, mutual authentication, and high quality of protection on all traffic.
Added: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jndi/GssLdapLookupPrototype.java
==============================================================================
--- (empty file)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jndi/GssLdapLookupPrototype.java Wed Oct 20 06:14:13 2004
@@ -0,0 +1,172 @@
+package org.apache.kerberos.kdc.jndi;
+
+import org.apache.kerberos.crypto.encryption.*;
+import org.apache.kerberos.gss.*;
+import org.apache.kerberos.messages.value.*;
+import org.apache.kerberos.util.*;
+
+import java.security.*;
+import java.util.*;
+
+import javax.naming.*;
+import javax.naming.directory.*;
+import javax.security.auth.*;
+import javax.security.auth.login.*;
+
+/**
+ * Creates an initial context to an LDAP server using SASL-GSSAPI (Kerberos V5).
+ * Establishes mutual authentication and high quality of protection on all
+ * traffic.
+ */
+class GssLdapLookupPrototype {
+
+ private static String principal = "krbtgt/25OZ.COM@25OZ.COM";
+ private static String passPhrase = "randkey";
+
+ public static void main(String[] args) {
+
+ Security.setProperty("login.configuration.provider",
+ "org.apache.kerberos.gss.GSSConfiguration");
+
+ // Log in (via Kerberos)
+ LoginContext lc = null;
+ try {
+ lc = new LoginContext(GssLdapLookupPrototype.class.getName(), new CallbackHandlerBean(principal,
+ passPhrase));
+ lc.login();
+ } catch (LoginException le) {
+ System.err.println("Authentication attempt failed" + le);
+ System.exit(-1);
+ }
+
+ String requestingPrincipal = "enrique/admin@25OZ.COM";
+
+ // Perform JNDI work as logged in subject
+ byte[] key = (byte[])Subject.doAs(lc.getSubject(), new GssLdapLookupAction(requestingPrincipal));
+ System.out.println("Got key: " + TestUtils.byte2hexString(key));
+ }
+}
+
+class GssLdapLookupAction implements PrivilegedAction {
+
+ private String _principal;
+
+ public GssLdapLookupAction(String principal) {
+ _principal = principal;
+ }
+
+ public Object run() {
+ return performJndiOperation();
+ }
+
+ private byte[] performJndiOperation() {
+
+ // Set up environment for initial context
+ Hashtable env = new Hashtable();
+ env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
+ env.put(Context.PROVIDER_URL, "ldap://ldap.25oz.com:389/dc=25oz,dc=com");
+ // Request that the key be returned as binary, not String
+ env.put("java.naming.ldap.attributes.binary", "krb5Key");
+ // Request the use of SASL-GSSAPI, using already established Kerberos credentials
+ env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
+ // Request mutual authentication
+ env.put("javax.security.sasl.server.authentication", "true");
+ // Request authentication with integrity and privacy protection
+ env.put("javax.security.sasl.qop", "auth-conf");
+ // Request high-strength cryptographic protection
+ env.put("javax.security.sasl.strength", "high");
+
+ byte[] key = null;
+ try {
+ DirContext ctx = new InitialDirContext(env);
+
+ key = getAttributes(ctx);
+
+ ctx.close();
+ } catch (NamingException e) {
+ e.printStackTrace();
+ }
+ return key;
+ }
+
+ private byte[] getAttributes(DirContext ctx) {
+
+ byte[] keyBytes = null;
+
+ try {
+ String[] attrIDs = {"sn", "krb5PrincipalName", "krb5KeyVersionNumber",
+ "krb5EncryptionType", "krb5Key"};
+
+ String name = "cn=Enrique Rodriguez";
+ Attributes attrs = ctx.getAttributes(name, attrIDs);
+
+ System.out.println("sn: " + attrs.get("sn").get());
+ System.out.println("principal: " + attrs.get("krb5PrincipalName").get());
+ System.out.println("kvno: " + attrs.get("krb5KeyVersionNumber").get());
+ System.out.println("etype: " + attrs.get("krb5EncryptionType").get());
+
+ keyBytes = (byte[]) attrs.get("krb5Key").get();
+
+ EncryptionKey key = new EncryptionKey(EncryptionType.DES_CBC_MD5, keyBytes);
+
+ System.out.println(key + ": " + key.getKeyValue().length + ": "
+ + TestUtils.byte2hexString(key.getKeyValue()));
+
+ Attributes matchAttrs = new BasicAttributes(false); // case-sensitive
+ matchAttrs.put(new BasicAttribute("krb5PrincipalName", _principal));
+ matchAttrs.put(new BasicAttribute("krb5Key"));
+
+ // Search for objects that have those matching attributes
+ NamingEnumeration answer = ctx.search("", matchAttrs, attrIDs);
+
+ // Print the answer
+ printSearchEnumeration(answer);
+
+ ctx.close();
+
+ } catch (NamingException e) {
+ System.err.println("Problem getting attribute: " + e);
+ }
+ return keyBytes;
+ }
+
+ public void printSearchEnumeration(NamingEnumeration enum) {
+ try {
+ while (enum.hasMore()) {
+ SearchResult sr = (SearchResult) enum.next();
+ System.out.println(">>>" + sr.getName());
+ printAttrs(sr.getAttributes());
+ }
+ } catch (NamingException e) {
+ e.printStackTrace();
+ }
+ }
+
+ public void printAttrs(Attributes attrs) {
+ if (attrs == null) {
+ System.out.println("No attributes");
+ } else {
+ /* Print each attribute */
+ try {
+ for (NamingEnumeration ae = attrs.getAll(); ae.hasMore();) {
+ Attribute attr = (Attribute) ae.next();
+ System.out.println("attribute: " + attr.getID());
+
+ /* print each value */
+ for (NamingEnumeration e = attr.getAll(); e.hasMore();) {
+ Object next = e.next();
+ if (next instanceof String) {
+ System.out.println("value: " + next);
+ }
+ if (next instanceof byte[]) {
+ System.out.println("value: " + TestUtils.byte2hexString((byte[]) next));
+ }
+ }
+ }
+ } catch (NamingException e) {
+ e.printStackTrace();
+ }
+ }
+ }
+}
+