directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From erodrig...@apache.org
Subject svn commit: rev 55150 - incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jndi
Date Wed, 20 Oct 2004 13:14:14 GMT
Author: erodriguez
Date: Wed Oct 20 06:14:13 2004
New Revision: 55150

Added:
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jndi/GssLdapLookupPrototype.java
Log:
Prototype LDAP lookup code, tested against OpenLDAP 2.0.27-8, using SASL GSSAPI, mutual authentication,
and high quality of protection on all traffic.

Added: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jndi/GssLdapLookupPrototype.java
==============================================================================
--- (empty file)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jndi/GssLdapLookupPrototype.java
Wed Oct 20 06:14:13 2004
@@ -0,0 +1,172 @@
+package org.apache.kerberos.kdc.jndi;
+
+import org.apache.kerberos.crypto.encryption.*;
+import org.apache.kerberos.gss.*;
+import org.apache.kerberos.messages.value.*;
+import org.apache.kerberos.util.*;
+
+import java.security.*;
+import java.util.*;
+
+import javax.naming.*;
+import javax.naming.directory.*;
+import javax.security.auth.*;
+import javax.security.auth.login.*;
+
+/**
+ * Creates an initial context to an LDAP server using SASL-GSSAPI (Kerberos V5).
+ * Establishes mutual authentication and high quality of protection on all
+ * traffic.
+ */
+class GssLdapLookupPrototype {
+
+	private static String principal  = "krbtgt/25OZ.COM@25OZ.COM";
+	private static String passPhrase = "randkey";
+
+	public static void main(String[] args) {
+
+		Security.setProperty("login.configuration.provider",
+				"org.apache.kerberos.gss.GSSConfiguration");
+
+		// Log in (via Kerberos)
+		LoginContext lc = null;
+		try {
+			lc = new LoginContext(GssLdapLookupPrototype.class.getName(), new CallbackHandlerBean(principal,
+					passPhrase));
+			lc.login();
+		} catch (LoginException le) {
+			System.err.println("Authentication attempt failed" + le);
+			System.exit(-1);
+		}
+		
+		String requestingPrincipal = "enrique/admin@25OZ.COM";
+		
+		// Perform JNDI work as logged in subject
+		byte[] key = (byte[])Subject.doAs(lc.getSubject(), new GssLdapLookupAction(requestingPrincipal));
+		System.out.println("Got key: " + TestUtils.byte2hexString(key));
+	}
+}
+
+class GssLdapLookupAction implements PrivilegedAction {
+
+	private String _principal;
+
+	public GssLdapLookupAction(String principal) {
+		_principal = principal;
+	}
+
+	public Object run() {
+		return performJndiOperation();
+	}
+
+	private byte[] performJndiOperation() {
+
+		// Set up environment for initial context
+		Hashtable env = new Hashtable();
+		env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
+		env.put(Context.PROVIDER_URL, "ldap://ldap.25oz.com:389/dc=25oz,dc=com");
+		// Request that the key be returned as binary, not String
+		env.put("java.naming.ldap.attributes.binary", "krb5Key");
+		// Request the use of SASL-GSSAPI, using already established Kerberos credentials
+		env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
+		// Request mutual authentication
+		env.put("javax.security.sasl.server.authentication", "true");
+		// Request authentication with integrity and privacy protection
+		env.put("javax.security.sasl.qop", "auth-conf");
+		// Request high-strength cryptographic protection
+		env.put("javax.security.sasl.strength", "high");
+
+		byte[] key = null;
+		try {
+			DirContext ctx = new InitialDirContext(env);
+
+			key = getAttributes(ctx);
+
+			ctx.close();
+		} catch (NamingException e) {
+			e.printStackTrace();
+		}
+		return key;
+	}
+
+	private byte[] getAttributes(DirContext ctx) {
+		
+		byte[] keyBytes = null;
+		
+		try {
+			String[] attrIDs = {"sn", "krb5PrincipalName", "krb5KeyVersionNumber",
+					"krb5EncryptionType", "krb5Key"};
+
+			String name = "cn=Enrique Rodriguez";
+			Attributes attrs = ctx.getAttributes(name, attrIDs);
+
+			System.out.println("sn: " + attrs.get("sn").get());
+			System.out.println("principal: " + attrs.get("krb5PrincipalName").get());
+			System.out.println("kvno: " + attrs.get("krb5KeyVersionNumber").get());
+			System.out.println("etype: " + attrs.get("krb5EncryptionType").get());
+
+			keyBytes = (byte[]) attrs.get("krb5Key").get();
+
+			EncryptionKey key = new EncryptionKey(EncryptionType.DES_CBC_MD5, keyBytes);
+
+			System.out.println(key + ":  " + key.getKeyValue().length + ":  "
+					+ TestUtils.byte2hexString(key.getKeyValue()));
+
+			Attributes matchAttrs = new BasicAttributes(false); // case-sensitive
+			matchAttrs.put(new BasicAttribute("krb5PrincipalName", _principal));
+			matchAttrs.put(new BasicAttribute("krb5Key"));
+
+			// Search for objects that have those matching attributes
+			NamingEnumeration answer = ctx.search("", matchAttrs, attrIDs);
+
+			// Print the answer
+			printSearchEnumeration(answer);
+			
+			ctx.close();
+
+		} catch (NamingException e) {
+			System.err.println("Problem getting attribute: " + e);
+		}
+		return keyBytes;
+	}
+
+	public void printSearchEnumeration(NamingEnumeration enum) {
+		try {
+			while (enum.hasMore()) {
+				SearchResult sr = (SearchResult) enum.next();
+				System.out.println(">>>" + sr.getName());
+				printAttrs(sr.getAttributes());
+			}
+		} catch (NamingException e) {
+			e.printStackTrace();
+		}
+	}
+
+	public void printAttrs(Attributes attrs) {
+		if (attrs == null) {
+			System.out.println("No attributes");
+		} else {
+			/* Print each attribute */
+			try {
+				for (NamingEnumeration ae = attrs.getAll(); ae.hasMore();) {
+					Attribute attr = (Attribute) ae.next();
+					System.out.println("attribute: " + attr.getID());
+
+					/* print each value */
+					for (NamingEnumeration e = attr.getAll(); e.hasMore();) {
+						Object next = e.next();
+						if (next instanceof String) {
+							System.out.println("value: " + next);
+						}
+						if (next instanceof byte[]) {
+							System.out.println("value: " + TestUtils.byte2hexString((byte[]) next));
+						}
+					}
+				}
+			} catch (NamingException e) {
+				e.printStackTrace();
+			}
+		}
+	}
+}
+

Mime
View raw message