You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by Kamalakar M <km...@apple.com> on 2012/03/21 15:30:22 UTC

Help: Steps/Procedure to create Kerberos(MIT) Principals from JAVA using Apache DS API

Hi Apache DS Team

I required a help in creating the kerberos principals from java using apache DS API.

I am using krb5-1.10.1with OpenLDAP in the backend. 
I am able to add principals using addprinc and authenticate using kinit from Terminal.

Environment Details:
Operating System: Mac OS X - Snow Leopard.
Kerberos: MIT, Version krb5-1.10.1
Back End for Kerberos: Open LDAP 2.4.11
Please find attached krb5.conf used.



I would like to know the steps/procedure in order to create Kerberos(MIT) Principals from JAVA using Apache DS API [So that kinit will get authenticate and issue tickets].

With the following code i am able to
See the 'krbprincipalkey' in Java Console.
Inserts an entry into Open LDAP.
Kindly check whether is this the right way to proceed.
	import java.io.IOException;
	import java.nio.ByteBuffer;

	import javax.security.auth.kerberos.KerberosKey;
	import javax.security.auth.kerberos.KerberosPrincipal;

	import org.apache.directory.ldap.client.api.LdapConnection;
	import org.apache.directory.ldap.client.api.LdapNetworkConnection;
	import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
	import org.apache.directory.shared.kerberos.components.EncryptionKey;
	import org.apache.directory.shared.ldap.model.entry.Attribute;
	import org.apache.directory.shared.ldap.model.entry.DefaultAttribute;
	import org.apache.directory.shared.ldap.model.entry.DefaultEntry;
	import org.apache.directory.shared.ldap.model.entry.Entry;
	import org.apache.directory.shared.ldap.model.exception.LdapException;
	
	public static void createPrincipalWithDSCode () throws LdapException, IOException{
		String USERS_DN = "cn=EXAMPLE.COM,cn=Manager,dc=example,dc=com";
		String rdn ="krbPrincipalName=Kamal12321@EXAMPLE.COM";
		String principalName = "Kamal12321@EXAMPLE.COM";
		String userPassword ="apple";
		String loginDN = "cn=Manager,dc=example,dc=com";// ou=people,dc=example,dc=com";
		String loginDNPwd = "apple123$";// "people";

		LdapConnection connection = null;
		try {
			connection = new LdapNetworkConnection("localhost", 389);
			connection.bind(loginDN, loginDNPwd);

			Entry entry = new DefaultEntry();
			entry.setDn( rdn + "," + USERS_DN );
			entry.add( "objectClass", "krbPrincipal", "krbPrincipalAux","krbTicketPolicyAux");
			entry.add("krbPrincipalName",principalName);
			entry.add("krbLoginFailedCount","0");
			entry.add("krbTicketFlags", "0");
			entry.add("krbTicketFlags", "0");

			KerberosPrincipal principal = new KerberosPrincipal(principalName);
			KerberosKey kerberosKey = new KerberosKey(principal, userPassword.toCharArray(), "DES");
			EncryptionKey encryptionKey = new EncryptionKey(EncryptionType.DES_CBC_MD5, kerberosKey.getEncoded(), kerberosKey.getVersionNumber());
			Attribute keyAttribute = new DefaultAttribute("krbPrincipalKey");
			ByteBuffer buffer = ByteBuffer.allocate(encryptionKey.computeLength());
			encryptionKey.encode(buffer);
			keyAttribute.add(new byte[][] { buffer.array() });
			//entry.put(new Attribute[] { getKeyAttribute(addContext.getSession().getDirectoryService().getSchemaManager(), keys) });
			entry.put(new Attribute[]{keyAttribute});
			System.out.println("keyAttribute" +keyAttribute);
			//entry.add(keyAttribute);
			System.out.println("entry" +entry);
			connection.add( entry );
			System.out.println("Entry has been created");
			System.out.println(connection);
			connection.unBind();
		}catch (Exception e) {
			e.printStackTrace();
		}
		finally{
			connection.close();
		}

	}
JAVA Console:
keyAttribute    krbPrincipalKey: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xD3 0x45 0x25 0x46 0xA4 ...'

entryEntry
    dn: krbPrincipalName=Kamal12321@EXAMPLE.COM,cn=EXAMPLE.COM,cn=Manager,dc=example,dc=com
    objectClass: krbPrincipal
    objectClass: krbPrincipalAux
    objectClass: krbTicketPolicyAux
    krbPrincipalKey: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xD3 0x45 0x25 0x46 0xA4 ...'
    krbTicketFlags: 0
    krbLoginFailedCount: 0
    krbPrincipalName: Kamal12321@EXAMPLE.COM

Entry has been created
org.apache.directory.ldap.client.api.LdapNetworkConnection@526d0040

And when kinit from terminal the principal that has been created above, results the below error.
AS_REQ (7 etypes {18 17 16 23 1 3 2}) ::1: LOOKING_UP_CLIENT: kamal1111@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, unable to decode stored principal key data (ASN.1 identifier doesn't match expected value)

Thanks 
Kamalakar

Re: Help: Steps/Procedure to create Kerberos(MIT) Principals from JAVA using Apache DS API

Posted by Kiran Ayyagari <ka...@apache.org>.

looks like you are trying to fetch the ticket for a different(wrong?) principal
you created Kamal12321@EXAMPLE.COM but kinit shows kamal1111@EXAMPLE.COM

On Wed, Mar 21, 2012 at 8:00 PM, Kamalakar M <km...@apple.com> wrote:
> Hi Apache DS Team
>
> I required a help in creating the kerberos principals from java using apache
> DS API.
>
> I am using krb5-1.10.1with OpenLDAP in the backend.
> I am able to add principals using addprinc and authenticate using kinit from
> Terminal.
>
> Environment Details:
> Operating System: Mac OS X - Snow Leopard.
> Kerberos: MIT, Version krb5-1.10.1
> Back End for Kerberos: Open LDAP 2.4.11
> Please find attached krb5.conf used.
>
>
>
> I would like to know the steps/procedure in order to create Kerberos(MIT)
> Principals from JAVA using Apache DS API [So that kinit will get
> authenticate and issue tickets].
>
> With the following code i am able to
>
> See the 'krbprincipalkey' in Java Console.
> Inserts an entry into Open LDAP.
> Kindly check whether is this the right way to proceed.
>
> import java.io.IOException;
> import java.nio.ByteBuffer;
>
> import javax.security.auth.kerberos.KerberosKey;
> import javax.security.auth.kerberos.KerberosPrincipal;
>
> import org.apache.directory.ldap.client.api.LdapConnection;
> import org.apache.directory.ldap.client.api.LdapNetworkConnection;
> import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
> import org.apache.directory.shared.kerberos.components.EncryptionKey;
> import org.apache.directory.shared.ldap.model.entry.Attribute;
> import org.apache.directory.shared.ldap.model.entry.DefaultAttribute;
> import org.apache.directory.shared.ldap.model.entry.DefaultEntry;
> import org.apache.directory.shared.ldap.model.entry.Entry;
> import org.apache.directory.shared.ldap.model.exception.LdapException;
> public static void createPrincipalWithDSCode () throws LdapException,
> IOException{
> String USERS_DN = "cn=EXAMPLE.COM,cn=Manager,dc=example,dc=com";
> String rdn ="krbPrincipalName=Kamal12321@EXAMPLE.COM";
> String principalName = "Kamal12321@EXAMPLE.COM";
> String userPassword ="apple";
> String loginDN = "cn=Manager,dc=example,dc=com";//
> ou=people,dc=example,dc=com";
> String loginDNPwd = "apple123$";// "people";
>
> LdapConnection connection = null;
> try {
> connection = new LdapNetworkConnection("localhost", 389);
> connection.bind(loginDN, loginDNPwd);
>
> Entry entry = new DefaultEntry();
> entry.setDn( rdn + "," + USERS_DN );
> entry.add( "objectClass", "krbPrincipal",
> "krbPrincipalAux","krbTicketPolicyAux");
> entry.add("krbPrincipalName",principalName);
> entry.add("krbLoginFailedCount","0");
> entry.add("krbTicketFlags", "0");
> entry.add("krbTicketFlags", "0");
>
> KerberosPrincipal principal = new KerberosPrincipal(principalName);
> KerberosKey kerberosKey = new KerberosKey(principal,
> userPassword.toCharArray(), "DES");
> EncryptionKey encryptionKey = new EncryptionKey(EncryptionType.DES_CBC_MD5,
> kerberosKey.getEncoded(), kerberosKey.getVersionNumber());
> Attribute keyAttribute = new DefaultAttribute("krbPrincipalKey");
> ByteBuffer buffer = ByteBuffer.allocate(encryptionKey.computeLength());
> encryptionKey.encode(buffer);
> keyAttribute.add(new byte[][] { buffer.array() });
why are you inserting a 2D array here?
> //entry.put(new Attribute[] {
> getKeyAttribute(addContext.getSession().getDirectoryService().getSchemaManager(),
> keys) });
> entry.put(new Attribute[]{keyAttribute});
> System.out.println("keyAttribute" +keyAttribute);
> //entry.add(keyAttribute);
> System.out.println("entry" +entry);
> connection.add( entry );
> System.out.println("Entry has been created");
> System.out.println(connection);
> connection.unBind();
> }catch (Exception e) {
> e.printStackTrace();
> }
> finally{
> connection.close();
> }
>
> }
> JAVA Console:
> keyAttribute    krbPrincipalKey: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1
> 0x0A 0x04 0x08 0xD3 0x45 0x25 0x46 0xA4 ...'
>
> entryEntry
>     dn:
> krbPrincipalName=Kamal12321@EXAMPLE.COM,cn=EXAMPLE.COM,cn=Manager,dc=example,dc=com
>     objectClass: krbPrincipal
>     objectClass: krbPrincipalAux
>     objectClass: krbTicketPolicyAux
>     krbPrincipalKey: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08
> 0xD3 0x45 0x25 0x46 0xA4 ...'
>     krbTicketFlags: 0
>     krbLoginFailedCount: 0
>     krbPrincipalName: Kamal12321@EXAMPLE.COM
>
> Entry has been created
> org.apache.directory.ldap.client.api.LdapNetworkConnection@526d0040
>
> And when kinit from terminal the principal that has been created above,
> results the below error.
> AS_REQ (7 etypes {18 17 16 23 1 3 2}) ::1: LOOKING_UP_CLIENT:
> kamal1111@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, unable to decode
> stored principal key data (ASN.1 identifier doesn't match expected value)
>
> Thanks
> Kamalakar
>



-- 
Kiran Ayyagari