You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Charles Hedrick (JIRA)" <ji...@apache.org> on 2019/07/10 21:57:00 UTC
[jira] [Commented] (DIRAPI-350) gssapi documentation
[ https://issues.apache.org/jira/browse/DIRAPI-350?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16882471#comment-16882471 ]
Charles Hedrick commented on DIRAPI-350:
----------------------------------------
my apologies. The sample has unncessary code. The cc argument and the constructor aren't really needed. I can update the code if you want.
> gssapi documentation
> --------------------
>
> Key: DIRAPI-350
> URL: https://issues.apache.org/jira/browse/DIRAPI-350
> Project: Directory Client API
> Issue Type: Documentation
> Affects Versions: 2.0.0.AM4
> Reporter: Charles Hedrick
> Priority: Major
>
> In the section on authentication, there is no usable documentation for GSSAPI. Since GSSAPI is mostly used for Kerberos, you need sample code. Here is some that works.
> First, non-trivial Kerberos authentication requires configuration. Creating a Kerberos configuration is not well documented elsewhere, so we include here sample code. It is possible to put configuration information in a JAAS login configuration file as well, but doing it programmatically provides more flexibiity for appications that need to use more than one principal.
> *import* javax.security.auth.login.Configuration;
> *class* KerberosConfiguration *extends* Configuration {
> *private* String cc;
> *public* KerberosConfiguration(String cc) {
> *this*.cc = cc;
> }
> @Override
> *public* AppConfigurationEntry[] *getAppConfigurationEntry*(String name) {
> Map<String, String> options = *new* HashMap<String, String>();
> options.put("useKeyTab", "true");
> *try* {
> options.put("principal", "host/" + InetAddress.getLocalHost().getCanonicalHostName() + "@MYKERBOSDOMAIN");
> } *catch* (Exception e){
> System.out.println("Can't find our hostname " + e);
> }
> options.put("refreshKrb5Config", "true");
> options.put("keyTab", "/etc/krb5.keytab");
> options.put("debug", "true");
> *return* *new* AppConfigurationEntry[]{
> *new* AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
> AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
> options),};
> }
> }
> *public* KerberosConfiguration *makeKerberosConfiguration*(String cc) {
> *return* *new* KerberosConfiguration(cc);
> }
>
> makeKerberosConfiguration(null) will return the configuration object needed for GSSAPI. The options in this example authenticate the host, based on /etc/krb5.keytab. Other options are documented in the Java documentation for the class Krb5LoginModule. Note that if you are going to use user credentials, they should be stored in a file, not KEYRING or KCM.
>
> The following code uses a configuration generated with the code above to do a GSSAPI SASL bind. The assumption is that ldapNetworkConnection has already been opened using connect
> Configuration sconfig = makeKerberosConfiguration(null);
> SaslGssApiRequest saslGssApiRequestt = *new* SaslGssApiRequest();
> saslGssApiRequest.setLoginModuleConfiguration( sconfig);
> saslGssApiRequest.setLoginContextName( "org.apache.directory.ldap.client.api.SaslGssApiRequest" );
> saslGssApiRequest.setMutualAuthentication( false );
>
> BindResponse br;
>
> *try* {
> br = ldapNetworkConnection.bind( saslGssApiRequest );
> ldapNetworkConnection.startTls();
> } *catch* ( LdapException e ) {
> e.printStackTrace();
> }
> At this point you can do search or other operations.
> h2.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org