You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Kamalakar M <km...@apple.com> on 2012/03/21 15:30:22 UTC
Help: Steps/Procedure to create Kerberos(MIT) Principals from JAVA
using Apache DS API
Hi Apache DS Team
I required a help in creating the kerberos principals from java using apache DS API.
I am using krb5-1.10.1with OpenLDAP in the backend.
I am able to add principals using addprinc and authenticate using kinit from Terminal.
Environment Details:
Operating System: Mac OS X - Snow Leopard.
Kerberos: MIT, Version krb5-1.10.1
Back End for Kerberos: Open LDAP 2.4.11
Please find attached krb5.conf used.
I would like to know the steps/procedure in order to create Kerberos(MIT) Principals from JAVA using Apache DS API [So that kinit will get authenticate and issue tickets].
With the following code i am able to
See the 'krbprincipalkey' in Java Console.
Inserts an entry into Open LDAP.
Kindly check whether is this the right way to proceed.
import java.io.IOException;
import java.nio.ByteBuffer;
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.apache.directory.ldap.client.api.LdapConnection;
import org.apache.directory.ldap.client.api.LdapNetworkConnection;
import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
import org.apache.directory.shared.kerberos.components.EncryptionKey;
import org.apache.directory.shared.ldap.model.entry.Attribute;
import org.apache.directory.shared.ldap.model.entry.DefaultAttribute;
import org.apache.directory.shared.ldap.model.entry.DefaultEntry;
import org.apache.directory.shared.ldap.model.entry.Entry;
import org.apache.directory.shared.ldap.model.exception.LdapException;
public static void createPrincipalWithDSCode () throws LdapException, IOException{
String USERS_DN = "cn=EXAMPLE.COM,cn=Manager,dc=example,dc=com";
String rdn ="krbPrincipalName=Kamal12321@EXAMPLE.COM";
String principalName = "Kamal12321@EXAMPLE.COM";
String userPassword ="apple";
String loginDN = "cn=Manager,dc=example,dc=com";// ou=people,dc=example,dc=com";
String loginDNPwd = "apple123$";// "people";
LdapConnection connection = null;
try {
connection = new LdapNetworkConnection("localhost", 389);
connection.bind(loginDN, loginDNPwd);
Entry entry = new DefaultEntry();
entry.setDn( rdn + "," + USERS_DN );
entry.add( "objectClass", "krbPrincipal", "krbPrincipalAux","krbTicketPolicyAux");
entry.add("krbPrincipalName",principalName);
entry.add("krbLoginFailedCount","0");
entry.add("krbTicketFlags", "0");
entry.add("krbTicketFlags", "0");
KerberosPrincipal principal = new KerberosPrincipal(principalName);
KerberosKey kerberosKey = new KerberosKey(principal, userPassword.toCharArray(), "DES");
EncryptionKey encryptionKey = new EncryptionKey(EncryptionType.DES_CBC_MD5, kerberosKey.getEncoded(), kerberosKey.getVersionNumber());
Attribute keyAttribute = new DefaultAttribute("krbPrincipalKey");
ByteBuffer buffer = ByteBuffer.allocate(encryptionKey.computeLength());
encryptionKey.encode(buffer);
keyAttribute.add(new byte[][] { buffer.array() });
//entry.put(new Attribute[] { getKeyAttribute(addContext.getSession().getDirectoryService().getSchemaManager(), keys) });
entry.put(new Attribute[]{keyAttribute});
System.out.println("keyAttribute" +keyAttribute);
//entry.add(keyAttribute);
System.out.println("entry" +entry);
connection.add( entry );
System.out.println("Entry has been created");
System.out.println(connection);
connection.unBind();
}catch (Exception e) {
e.printStackTrace();
}
finally{
connection.close();
}
}
JAVA Console:
keyAttribute krbPrincipalKey: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xD3 0x45 0x25 0x46 0xA4 ...'
entryEntry
dn: krbPrincipalName=Kamal12321@EXAMPLE.COM,cn=EXAMPLE.COM,cn=Manager,dc=example,dc=com
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
krbPrincipalKey: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xD3 0x45 0x25 0x46 0xA4 ...'
krbTicketFlags: 0
krbLoginFailedCount: 0
krbPrincipalName: Kamal12321@EXAMPLE.COM
Entry has been created
org.apache.directory.ldap.client.api.LdapNetworkConnection@526d0040
And when kinit from terminal the principal that has been created above, results the below error.
AS_REQ (7 etypes {18 17 16 23 1 3 2}) ::1: LOOKING_UP_CLIENT: kamal1111@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, unable to decode stored principal key data (ASN.1 identifier doesn't match expected value)
Thanks
Kamalakar
Re: Help: Steps/Procedure to create Kerberos(MIT) Principals from
JAVA using Apache DS API
Posted by Kiran Ayyagari <ka...@apache.org>.
looks like you are trying to fetch the ticket for a different(wrong?) principal
you created Kamal12321@EXAMPLE.COM but kinit shows kamal1111@EXAMPLE.COM
On Wed, Mar 21, 2012 at 8:00 PM, Kamalakar M <km...@apple.com> wrote:
> Hi Apache DS Team
>
> I required a help in creating the kerberos principals from java using apache
> DS API.
>
> I am using krb5-1.10.1with OpenLDAP in the backend.
> I am able to add principals using addprinc and authenticate using kinit from
> Terminal.
>
> Environment Details:
> Operating System: Mac OS X - Snow Leopard.
> Kerberos: MIT, Version krb5-1.10.1
> Back End for Kerberos: Open LDAP 2.4.11
> Please find attached krb5.conf used.
>
>
>
> I would like to know the steps/procedure in order to create Kerberos(MIT)
> Principals from JAVA using Apache DS API [So that kinit will get
> authenticate and issue tickets].
>
> With the following code i am able to
>
> See the 'krbprincipalkey' in Java Console.
> Inserts an entry into Open LDAP.
> Kindly check whether is this the right way to proceed.
>
> import java.io.IOException;
> import java.nio.ByteBuffer;
>
> import javax.security.auth.kerberos.KerberosKey;
> import javax.security.auth.kerberos.KerberosPrincipal;
>
> import org.apache.directory.ldap.client.api.LdapConnection;
> import org.apache.directory.ldap.client.api.LdapNetworkConnection;
> import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
> import org.apache.directory.shared.kerberos.components.EncryptionKey;
> import org.apache.directory.shared.ldap.model.entry.Attribute;
> import org.apache.directory.shared.ldap.model.entry.DefaultAttribute;
> import org.apache.directory.shared.ldap.model.entry.DefaultEntry;
> import org.apache.directory.shared.ldap.model.entry.Entry;
> import org.apache.directory.shared.ldap.model.exception.LdapException;
> public static void createPrincipalWithDSCode () throws LdapException,
> IOException{
> String USERS_DN = "cn=EXAMPLE.COM,cn=Manager,dc=example,dc=com";
> String rdn ="krbPrincipalName=Kamal12321@EXAMPLE.COM";
> String principalName = "Kamal12321@EXAMPLE.COM";
> String userPassword ="apple";
> String loginDN = "cn=Manager,dc=example,dc=com";//
> ou=people,dc=example,dc=com";
> String loginDNPwd = "apple123$";// "people";
>
> LdapConnection connection = null;
> try {
> connection = new LdapNetworkConnection("localhost", 389);
> connection.bind(loginDN, loginDNPwd);
>
> Entry entry = new DefaultEntry();
> entry.setDn( rdn + "," + USERS_DN );
> entry.add( "objectClass", "krbPrincipal",
> "krbPrincipalAux","krbTicketPolicyAux");
> entry.add("krbPrincipalName",principalName);
> entry.add("krbLoginFailedCount","0");
> entry.add("krbTicketFlags", "0");
> entry.add("krbTicketFlags", "0");
>
> KerberosPrincipal principal = new KerberosPrincipal(principalName);
> KerberosKey kerberosKey = new KerberosKey(principal,
> userPassword.toCharArray(), "DES");
> EncryptionKey encryptionKey = new EncryptionKey(EncryptionType.DES_CBC_MD5,
> kerberosKey.getEncoded(), kerberosKey.getVersionNumber());
> Attribute keyAttribute = new DefaultAttribute("krbPrincipalKey");
> ByteBuffer buffer = ByteBuffer.allocate(encryptionKey.computeLength());
> encryptionKey.encode(buffer);
> keyAttribute.add(new byte[][] { buffer.array() });
why are you inserting a 2D array here?
> //entry.put(new Attribute[] {
> getKeyAttribute(addContext.getSession().getDirectoryService().getSchemaManager(),
> keys) });
> entry.put(new Attribute[]{keyAttribute});
> System.out.println("keyAttribute" +keyAttribute);
> //entry.add(keyAttribute);
> System.out.println("entry" +entry);
> connection.add( entry );
> System.out.println("Entry has been created");
> System.out.println(connection);
> connection.unBind();
> }catch (Exception e) {
> e.printStackTrace();
> }
> finally{
> connection.close();
> }
>
> }
> JAVA Console:
> keyAttribute krbPrincipalKey: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1
> 0x0A 0x04 0x08 0xD3 0x45 0x25 0x46 0xA4 ...'
>
> entryEntry
> dn:
> krbPrincipalName=Kamal12321@EXAMPLE.COM,cn=EXAMPLE.COM,cn=Manager,dc=example,dc=com
> objectClass: krbPrincipal
> objectClass: krbPrincipalAux
> objectClass: krbTicketPolicyAux
> krbPrincipalKey: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08
> 0xD3 0x45 0x25 0x46 0xA4 ...'
> krbTicketFlags: 0
> krbLoginFailedCount: 0
> krbPrincipalName: Kamal12321@EXAMPLE.COM
>
> Entry has been created
> org.apache.directory.ldap.client.api.LdapNetworkConnection@526d0040
>
> And when kinit from terminal the principal that has been created above,
> results the below error.
> AS_REQ (7 etypes {18 17 16 23 1 3 2}) ::1: LOOKING_UP_CLIENT:
> kamal1111@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, unable to decode
> stored principal key data (ASN.1 identifier doesn't match expected value)
>
> Thanks
> Kamalakar
>
--
Kiran Ayyagari