From dev-return-40646-apmail-directory-dev-archive=directory.apache.org@directory.apache.org Wed Mar 21 14:32:05 2012 Return-Path: X-Original-To: apmail-directory-dev-archive@www.apache.org Delivered-To: apmail-directory-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 056809613 for ; Wed, 21 Mar 2012 14:32:04 +0000 (UTC) Received: (qmail 55734 invoked by uid 500); 21 Mar 2012 14:32:04 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 55687 invoked by uid 500); 21 Mar 2012 14:32:04 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Delivered-To: moderator for dev@directory.apache.org Received: (qmail 40145 invoked by uid 99); 21 Mar 2012 14:26:58 -0000 X-ASF-Spam-Status: No, hits=-2.8 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_HI,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of kmedam@apple.com designates 17.151.62.51 as permitted sender) MIME-version: 1.0 Content-type: multipart/alternative; boundary="Boundary_(ID_G4b5mzMhWpjzN/nVgQLZag)" X-AuditID: 11807112-b7f466d00000131a-f9-4f69e50d9c6e From: Kamalakar M Subject: Help: Steps/Procedure to create Kerberos(MIT) Principals from JAVA using Apache DS API Date: Wed, 21 Mar 2012 20:00:22 +0530 Message-id: <87827690-7C52-43BA-B8D4-68EE45A26DC3@apple.com> Cc: Amal Janardhanan , Rajeswari Ramasamy , Vamsi Kondadasula To: dev@directory.apache.org X-Mailer: Apple Mail (2.1084) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrELMWRmVeSWpSXmKPExsUiON3jsa7g00x/gw93FSzW3j3BbHFhkorF qXt32CyeH17H5MDisfXkDzaPh4t3MAYwRXHZpKTmZJalFunbJXBl/Fy9j6ng51fGimmtEg2M r28wdjFyckgImEi07W6HssUkLtxbz9bFyMUhJDCVSWLFtUfsIAk2ARWJibsaWEBsZgE3iZeb /rCB2MIC8RLnb70AinNwsAioSiz8Fgli8grYSGy6Hwoyhlmgg1GiYddVZpByEQEZics9C5hA bF4BQ4mlm9rZQeolBGQlmpZlTGDkmYVkwSwkVRBxbYllC18zzwLqYBbQkZi8kBHCdJKYsY8N okJeYvvbOcww1R/PH2GCsE0lvn7fxgJh10s09S1nxqYeYjpC7wJGnlWMgkWpOYmVhuZ6iQUF Oal6yfm5mxhBMdFQKLSD8f4uvUOMAhyMSjy8Wssz/IVYE8uKK3MPMUpwMCuJ8C6MzPQX4k1J rKxKLcqPLyrNSS0+xCjNwaIkzjttY7q/kEB6YklqdmpqQWoRTJaJg1OqgVEof6LwY2smRt+N Ox7mZ05RZDFmWujqsLi0cs2+zImb2LoOd009G7KyP+iB0clZuo3BgZbe35M/dFW/0p91Zeq3 yRsum2nN+plcqW+meMf+fNbhR1WzXTKur1urUF2817F23UX3iQd422wbHhQICFyulny0IveA adV3NZPMr3rJ7q/Vtsxf91mJpTgj0VCLuag4EQBx5jtChQIAAA== X-Virus-Checked: Checked by ClamAV on apache.org --Boundary_(ID_G4b5mzMhWpjzN/nVgQLZag) Content-type: text/plain; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Hi Apache DS Team I required a help in creating the kerberos principals from java using apache DS API. I am using krb5-1.10.1with OpenLDAP in the backend. I am able to add principals using addprinc and authenticate using kinit from Terminal. Environment Details: Operating System: Mac OS X - Snow Leopard. Kerberos: MIT, Version krb5-1.10.1 Back End for Kerberos: Open LDAP 2.4.11 Please find attached krb5.conf used. I would like to know the steps/procedure in order to create Kerberos(MIT) Principals from JAVA using Apache DS API [So that kinit will get authenticate and issue tickets]. With the following code i am able to See the 'krbprincipalkey' in Java Console. Inserts an entry into Open LDAP. Kindly check whether is this the right way to proceed. import java.io.IOException; import java.nio.ByteBuffer; import javax.security.auth.kerberos.KerberosKey; import javax.security.auth.kerberos.KerberosPrincipal; import org.apache.directory.ldap.client.api.LdapConnection; import org.apache.directory.ldap.client.api.LdapNetworkConnection; import org.apache.directory.shared.kerberos.codec.types.EncryptionType; import org.apache.directory.shared.kerberos.components.EncryptionKey; import org.apache.directory.shared.ldap.model.entry.Attribute; import org.apache.directory.shared.ldap.model.entry.DefaultAttribute; import org.apache.directory.shared.ldap.model.entry.DefaultEntry; import org.apache.directory.shared.ldap.model.entry.Entry; import org.apache.directory.shared.ldap.model.exception.LdapException; public static void createPrincipalWithDSCode () throws LdapException, IOException{ String USERS_DN = "cn=EXAMPLE.COM,cn=Manager,dc=example,dc=com"; String rdn ="krbPrincipalName=Kamal12321@EXAMPLE.COM"; String principalName = "Kamal12321@EXAMPLE.COM"; String userPassword ="apple"; String loginDN = "cn=Manager,dc=example,dc=com";// ou=people,dc=example,dc=com"; String loginDNPwd = "apple123$";// "people"; LdapConnection connection = null; try { connection = new LdapNetworkConnection("localhost", 389); connection.bind(loginDN, loginDNPwd); Entry entry = new DefaultEntry(); entry.setDn( rdn + "," + USERS_DN ); entry.add( "objectClass", "krbPrincipal", "krbPrincipalAux","krbTicketPolicyAux"); entry.add("krbPrincipalName",principalName); entry.add("krbLoginFailedCount","0"); entry.add("krbTicketFlags", "0"); entry.add("krbTicketFlags", "0"); KerberosPrincipal principal = new KerberosPrincipal(principalName); KerberosKey kerberosKey = new KerberosKey(principal, userPassword.toCharArray(), "DES"); EncryptionKey encryptionKey = new EncryptionKey(EncryptionType.DES_CBC_MD5, kerberosKey.getEncoded(), kerberosKey.getVersionNumber()); Attribute keyAttribute = new DefaultAttribute("krbPrincipalKey"); ByteBuffer buffer = ByteBuffer.allocate(encryptionKey.computeLength()); encryptionKey.encode(buffer); keyAttribute.add(new byte[][] { buffer.array() }); //entry.put(new Attribute[] { getKeyAttribute(addContext.getSession().getDirectoryService().getSchemaManager(), keys) }); entry.put(new Attribute[]{keyAttribute}); System.out.println("keyAttribute" +keyAttribute); //entry.add(keyAttribute); System.out.println("entry" +entry); connection.add( entry ); System.out.println("Entry has been created"); System.out.println(connection); connection.unBind(); }catch (Exception e) { e.printStackTrace(); } finally{ connection.close(); } } JAVA Console: keyAttribute krbPrincipalKey: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xD3 0x45 0x25 0x46 0xA4 ...' entryEntry dn: krbPrincipalName=Kamal12321@EXAMPLE.COM,cn=EXAMPLE.COM,cn=Manager,dc=example,dc=com objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux krbPrincipalKey: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xD3 0x45 0x25 0x46 0xA4 ...' krbTicketFlags: 0 krbLoginFailedCount: 0 krbPrincipalName: Kamal12321@EXAMPLE.COM Entry has been created org.apache.directory.ldap.client.api.LdapNetworkConnection@526d0040 And when kinit from terminal the principal that has been created above, results the below error. AS_REQ (7 etypes {18 17 16 23 1 3 2}) ::1: LOOKING_UP_CLIENT: kamal1111@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, unable to decode stored principal key data (ASN.1 identifier doesn't match expected value) Thanks Kamalakar --Boundary_(ID_G4b5mzMhWpjzN/nVgQLZag) Content-type: multipart/mixed; boundary="Boundary_(ID_p9eabJlL+N/eN8b3G1OY1A)" --Boundary_(ID_p9eabJlL+N/eN8b3G1OY1A) Content-type: text/html; CHARSET=US-ASCII Content-transfer-encoding: 7BIT
Hi Apache DS Team

I required a help in creating the kerberos principals from java using apache DS API.

I am using krb5-1.10.1with OpenLDAP in the backend. 
I am able to add principals using addprinc and authenticate using kinit from Terminal.

Environment Details:
Operating System: Mac OS X - Snow Leopard.
Kerberos: MIT, Version krb5-1.10.1
Back End for Kerberos: Open LDAP 2.4.11
Please find attached krb5.conf used.

--Boundary_(ID_p9eabJlL+N/eN8b3G1OY1A) Content-type: application/octet-stream; x-mac-type=54455854; x-mac-creator=522A6368; x-unix-mode=0644; name=krb5.conf Content-transfer-encoding: 7bit Content-disposition: attachment; filename=krb5.conf [dbdefaults] ldap_kerberos_container_dn = cn=Manager,dc=example,dc=com database_module = openldap_ldapconf [dbmodules] openldap_ldapconf = { db_library = kldap ldap_kerberos_container_dn = cn=Manager,dc=example,dc=com ldap_kdc_dn = "cn=Manager,dc=example,dc=com" ldap_kadmind_dn = "cn=Manager,dc=example,dc=com" ldap_service_password_file = /usr/local/var/krb5kdc/service.keyfile ldap_servers = ldap://localhost:389 ldap_conns_per_server = 5 } [libdefaults] ticket_lifetime = 600 default_realm = EXAMPLE.COM default_tgs_enctypes = des-cbc-md5 dafault_tkt_enctypes = des-cbc-md5 allow_weak_crypto = true [realms] EXAMPLE.COM = { admin_server = localhost:8886 kdc = localhost:8888 default_domain = example.com database_module = openldap_ldapconf } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [logging] kdc = FILE:/ngs/app/kdcd/apple_kdc/log/kdc.log admin_server = FILE:/ngs/app/kdcd/apple_kdc/log/kadmin.log default = FILE:/ngs/app/kdcd/apple_kdc/log/krb5lib.log --Boundary_(ID_p9eabJlL+N/eN8b3G1OY1A) Content-type: text/html; CHARSET=US-ASCII Content-transfer-encoding: quoted-printable With the following code i = am able to
  • See the 'krbprincipalkey' in Java Console.
  • Inserts an entry into Open LDAP.
  • Kindly check whether = is this the right way to proceed.
= import java.io.IOException;
= import java.nio.ByteBuffer;
= import javax.security.auth.kerberos.KerberosKey;
import = javax.security.auth.kerberos.KerberosPrincipal;

= import = org.apache.directory.ldap.client.api.LdapConnection;
import = org.apache.directory.ldap.client.api.LdapNetworkConnection;
import = org.apache.directory.shared.kerberos.codec.types.EncryptionType;
import = org.apache.directory.shared.kerberos.components.EncryptionKey;
import = org.apache.directory.shared.ldap.model.entry.Attribute;
import = org.apache.directory.shared.ldap.model.entry.DefaultAttribute;
import = org.apache.directory.shared.ldap.model.entry.DefaultEntry;
import = org.apache.directory.shared.ldap.model.entry.Entry;
import = org.apache.directory.shared.ldap.model.exception.LdapException;
=
= public static void createPrincipalWithDSCode () throws LdapException, = IOException{
= String USERS_DN =3D = "cn=3DEXAMPLE.COM,cn=3DManager,dc=3Dexample,dc=3Dcom";
String principalName =3D = "Kamal12321@EXAMPLE.COM";=
= String userPassword =3D"apple";
String loginDN =3D = "cn=3DManager,dc=3Dexample,dc=3Dcom";// ou=3Dpeople,dc=3Dexample,dc=3Dcom";
String loginDNPwd =3D = "apple123$";// "people";

= LdapConnection connection =3D null;
try {
connection =3D = new LdapNetworkConnection("localhost", 389);
= connection.bind(loginDN, loginDNPwd);

Entry entry =3D = new DefaultEntry();
= entry.setDn( rdn + "," + = USERS_DN );
= entry.add( "objectClass", "krbPrincipal", = "krbPrincipalAux","krbTicketPolicyAux");
entry.add("krbPrincipalName",principalName);
= entry.add("krbLoginFailedCount","0");
= entry.add("krbTicketFlags", = "0");
= entry.add("krbTicketFlags", = "0");

KerberosPrincipal = principal =3D new = KerberosPrincipal(principalName);
KerberosKey = kerberosKey =3D new = KerberosKey(principal, userPassword.toCharArray(), "DES");
EncryptionKey = encryptionKey =3D new = EncryptionKey(EncryptionType.DES_CBC_MD5, kerberosKey.getEncoded(), = kerberosKey.getVersionNumber());
Attribute = keyAttribute =3D new = DefaultAttribute("krbPrincipalKey");
ByteBuffer buffer = =3D ByteBuffer.allocate(encryptionKey.computeLength());
= encryptionKey.encode(buffer);
= keyAttribute.add(new byte[][] { buffer.array() });
= //entry.put(new Attribute[] { = getKeyAttribute(addContext.getSession().getDirectoryService().getSchemaMan= ager(), keys) });
entry.put(new = Attribute[]{keyAttribute});
System.out.println("keyAttribute" +keyAttribute);
= //entry.add(keyAttribute);
System.out.println("entry" +entry);
connection.add( = entry );
= System.out.println("Entry = has been created");
= System.out.println(connection);
= connection.unBind();
}catch (Exception e) {
= e.printStackTrace();
}
= finally{
= connection.close();
}

}
JAVA = Console:
keyAttribute    krbPrincipalKey: '0x30 = 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xD3 0x45 0x25 0x46 = 0xA4 ...'

    dn: krbPrincipalName= =3DKamal12321@EXAMPLE.COM,cn=3DEXAMPLE.COM,cn=3DManager,dc=3Dexample,d= c=3Dcom
    objectClass: krbPrincipal
    krbLoginFailedCount: = 0
Kamal12321@EXAMPLE.COM

Entry has been created
AS_REQ (7 etypes {18 17 16 = 23 1 3 2}) ::1: LOOKING_UP_CLIENT: kamal1111@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.= COM, unable to decode stored principal key data (ASN.1 identifier = doesn't match expected = value)

Thanks 
Kamalaka= r
= --Boundary_(ID_p9eabJlL+N/eN8b3G1OY1A)-- --Boundary_(ID_G4b5mzMhWpjzN/nVgQLZag)--