directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kamalakar M <kme...@apple.com>
Subject Help: Steps/Procedure to create Kerberos(MIT) Principals from JAVA using Apache DS API
Date Wed, 21 Mar 2012 14:30:22 GMT
Hi Apache DS Team

I required a help in creating the kerberos principals from java using apache DS API.

I am using krb5-1.10.1with OpenLDAP in the backend. 
I am able to add principals using addprinc and authenticate using kinit from Terminal.

Environment Details:
Operating System: Mac OS X - Snow Leopard.
Kerberos: MIT, Version krb5-1.10.1
Back End for Kerberos: Open LDAP 2.4.11
Please find attached krb5.conf used.



I would like to know the steps/procedure in order to create Kerberos(MIT) Principals from
JAVA using Apache DS API [So that kinit will get authenticate and issue tickets].

With the following code i am able to
See the 'krbprincipalkey' in Java Console.
Inserts an entry into Open LDAP.
Kindly check whether is this the right way to proceed.
	import java.io.IOException;
	import java.nio.ByteBuffer;

	import javax.security.auth.kerberos.KerberosKey;
	import javax.security.auth.kerberos.KerberosPrincipal;

	import org.apache.directory.ldap.client.api.LdapConnection;
	import org.apache.directory.ldap.client.api.LdapNetworkConnection;
	import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
	import org.apache.directory.shared.kerberos.components.EncryptionKey;
	import org.apache.directory.shared.ldap.model.entry.Attribute;
	import org.apache.directory.shared.ldap.model.entry.DefaultAttribute;
	import org.apache.directory.shared.ldap.model.entry.DefaultEntry;
	import org.apache.directory.shared.ldap.model.entry.Entry;
	import org.apache.directory.shared.ldap.model.exception.LdapException;
	
	public static void createPrincipalWithDSCode () throws LdapException, IOException{
		String USERS_DN = "cn=EXAMPLE.COM,cn=Manager,dc=example,dc=com";
		String rdn ="krbPrincipalName=Kamal12321@EXAMPLE.COM";
		String principalName = "Kamal12321@EXAMPLE.COM";
		String userPassword ="apple";
		String loginDN = "cn=Manager,dc=example,dc=com";// ou=people,dc=example,dc=com";
		String loginDNPwd = "apple123$";// "people";

		LdapConnection connection = null;
		try {
			connection = new LdapNetworkConnection("localhost", 389);
			connection.bind(loginDN, loginDNPwd);

			Entry entry = new DefaultEntry();
			entry.setDn( rdn + "," + USERS_DN );
			entry.add( "objectClass", "krbPrincipal", "krbPrincipalAux","krbTicketPolicyAux");
			entry.add("krbPrincipalName",principalName);
			entry.add("krbLoginFailedCount","0");
			entry.add("krbTicketFlags", "0");
			entry.add("krbTicketFlags", "0");

			KerberosPrincipal principal = new KerberosPrincipal(principalName);
			KerberosKey kerberosKey = new KerberosKey(principal, userPassword.toCharArray(), "DES");
			EncryptionKey encryptionKey = new EncryptionKey(EncryptionType.DES_CBC_MD5, kerberosKey.getEncoded(),
kerberosKey.getVersionNumber());
			Attribute keyAttribute = new DefaultAttribute("krbPrincipalKey");
			ByteBuffer buffer = ByteBuffer.allocate(encryptionKey.computeLength());
			encryptionKey.encode(buffer);
			keyAttribute.add(new byte[][] { buffer.array() });
			//entry.put(new Attribute[] { getKeyAttribute(addContext.getSession().getDirectoryService().getSchemaManager(),
keys) });
			entry.put(new Attribute[]{keyAttribute});
			System.out.println("keyAttribute" +keyAttribute);
			//entry.add(keyAttribute);
			System.out.println("entry" +entry);
			connection.add( entry );
			System.out.println("Entry has been created");
			System.out.println(connection);
			connection.unBind();
		}catch (Exception e) {
			e.printStackTrace();
		}
		finally{
			connection.close();
		}

	}
JAVA Console:
keyAttribute    krbPrincipalKey: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xD3
0x45 0x25 0x46 0xA4 ...'

entryEntry
    dn: krbPrincipalName=Kamal12321@EXAMPLE.COM,cn=EXAMPLE.COM,cn=Manager,dc=example,dc=com
    objectClass: krbPrincipal
    objectClass: krbPrincipalAux
    objectClass: krbTicketPolicyAux
    krbPrincipalKey: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xD3 0x45 0x25
0x46 0xA4 ...'
    krbTicketFlags: 0
    krbLoginFailedCount: 0
    krbPrincipalName: Kamal12321@EXAMPLE.COM

Entry has been created
org.apache.directory.ldap.client.api.LdapNetworkConnection@526d0040

And when kinit from terminal the principal that has been created above, results the below
error.
AS_REQ (7 etypes {18 17 16 23 1 3 2}) ::1: LOOKING_UP_CLIENT: kamal1111@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM,
unable to decode stored principal key data (ASN.1 identifier doesn't match expected value)

Thanks 
Kamalakar

Mime
View raw message