directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: Help: Steps/Procedure to create Kerberos(MIT) Principals from JAVA using Apache DS API
Date Wed, 21 Mar 2012 14:45:59 GMT
looks like you are trying to fetch the ticket for a different(wrong?) principal
you created Kamal12321@EXAMPLE.COM but kinit shows kamal1111@EXAMPLE.COM

On Wed, Mar 21, 2012 at 8:00 PM, Kamalakar M <kmedam@apple.com> wrote:
> Hi Apache DS Team
>
> I required a help in creating the kerberos principals from java using apache
> DS API.
>
> I am using krb5-1.10.1with OpenLDAP in the backend.
> I am able to add principals using addprinc and authenticate using kinit from
> Terminal.
>
> Environment Details:
> Operating System: Mac OS X - Snow Leopard.
> Kerberos: MIT, Version krb5-1.10.1
> Back End for Kerberos: Open LDAP 2.4.11
> Please find attached krb5.conf used.
>
>
>
> I would like to know the steps/procedure in order to create Kerberos(MIT)
> Principals from JAVA using Apache DS API [So that kinit will get
> authenticate and issue tickets].
>
> With the following code i am able to
>
> See the 'krbprincipalkey' in Java Console.
> Inserts an entry into Open LDAP.
> Kindly check whether is this the right way to proceed.
>
> import java.io.IOException;
> import java.nio.ByteBuffer;
>
> import javax.security.auth.kerberos.KerberosKey;
> import javax.security.auth.kerberos.KerberosPrincipal;
>
> import org.apache.directory.ldap.client.api.LdapConnection;
> import org.apache.directory.ldap.client.api.LdapNetworkConnection;
> import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
> import org.apache.directory.shared.kerberos.components.EncryptionKey;
> import org.apache.directory.shared.ldap.model.entry.Attribute;
> import org.apache.directory.shared.ldap.model.entry.DefaultAttribute;
> import org.apache.directory.shared.ldap.model.entry.DefaultEntry;
> import org.apache.directory.shared.ldap.model.entry.Entry;
> import org.apache.directory.shared.ldap.model.exception.LdapException;
> public static void createPrincipalWithDSCode () throws LdapException,
> IOException{
> String USERS_DN = "cn=EXAMPLE.COM,cn=Manager,dc=example,dc=com";
> String rdn ="krbPrincipalName=Kamal12321@EXAMPLE.COM";
> String principalName = "Kamal12321@EXAMPLE.COM";
> String userPassword ="apple";
> String loginDN = "cn=Manager,dc=example,dc=com";//
> ou=people,dc=example,dc=com";
> String loginDNPwd = "apple123$";// "people";
>
> LdapConnection connection = null;
> try {
> connection = new LdapNetworkConnection("localhost", 389);
> connection.bind(loginDN, loginDNPwd);
>
> Entry entry = new DefaultEntry();
> entry.setDn( rdn + "," + USERS_DN );
> entry.add( "objectClass", "krbPrincipal",
> "krbPrincipalAux","krbTicketPolicyAux");
> entry.add("krbPrincipalName",principalName);
> entry.add("krbLoginFailedCount","0");
> entry.add("krbTicketFlags", "0");
> entry.add("krbTicketFlags", "0");
>
> KerberosPrincipal principal = new KerberosPrincipal(principalName);
> KerberosKey kerberosKey = new KerberosKey(principal,
> userPassword.toCharArray(), "DES");
> EncryptionKey encryptionKey = new EncryptionKey(EncryptionType.DES_CBC_MD5,
> kerberosKey.getEncoded(), kerberosKey.getVersionNumber());
> Attribute keyAttribute = new DefaultAttribute("krbPrincipalKey");
> ByteBuffer buffer = ByteBuffer.allocate(encryptionKey.computeLength());
> encryptionKey.encode(buffer);
> keyAttribute.add(new byte[][] { buffer.array() });
why are you inserting a 2D array here?
> //entry.put(new Attribute[] {
> getKeyAttribute(addContext.getSession().getDirectoryService().getSchemaManager(),
> keys) });
> entry.put(new Attribute[]{keyAttribute});
> System.out.println("keyAttribute" +keyAttribute);
> //entry.add(keyAttribute);
> System.out.println("entry" +entry);
> connection.add( entry );
> System.out.println("Entry has been created");
> System.out.println(connection);
> connection.unBind();
> }catch (Exception e) {
> e.printStackTrace();
> }
> finally{
> connection.close();
> }
>
> }
> JAVA Console:
> keyAttribute    krbPrincipalKey: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1
> 0x0A 0x04 0x08 0xD3 0x45 0x25 0x46 0xA4 ...'
>
> entryEntry
>     dn:
> krbPrincipalName=Kamal12321@EXAMPLE.COM,cn=EXAMPLE.COM,cn=Manager,dc=example,dc=com
>     objectClass: krbPrincipal
>     objectClass: krbPrincipalAux
>     objectClass: krbTicketPolicyAux
>     krbPrincipalKey: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08
> 0xD3 0x45 0x25 0x46 0xA4 ...'
>     krbTicketFlags: 0
>     krbLoginFailedCount: 0
>     krbPrincipalName: Kamal12321@EXAMPLE.COM
>
> Entry has been created
> org.apache.directory.ldap.client.api.LdapNetworkConnection@526d0040
>
> And when kinit from terminal the principal that has been created above,
> results the below error.
> AS_REQ (7 etypes {18 17 16 23 1 3 2}) ::1: LOOKING_UP_CLIENT:
> kamal1111@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, unable to decode
> stored principal key data (ASN.1 identifier doesn't match expected value)
>
> Thanks
> Kamalakar
>



-- 
Kiran Ayyagari

Mime
View raw message