From dev-return-60576-archive-asf-public=cust-asf.ponee.io@directory.apache.org Thu Jul 11 15:55:02 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id A250C180676 for ; Thu, 11 Jul 2019 17:55:02 +0200 (CEST) Received: (qmail 94787 invoked by uid 500); 11 Jul 2019 15:55:01 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@directory.apache.org Received: (qmail 94560 invoked by uid 99); 11 Jul 2019 15:55:01 -0000 Received: from mailrelay1-us-west.apache.org (HELO mailrelay1-us-west.apache.org) (209.188.14.139) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Jul 2019 15:55:01 +0000 Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id C960FE2EA9 for ; Thu, 11 Jul 2019 15:55:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 621BC26583 for ; Thu, 11 Jul 2019 15:55:00 +0000 (UTC) Date: Thu, 11 Jul 2019 15:55:00 +0000 (UTC) From: "Charles Hedrick (JIRA)" To: dev@directory.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Comment Edited] (DIRAPI-350) gssapi documentation MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/DIRAPI-350?page=3Dcom.atlassian= .jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D1688= 3088#comment-16883088 ]=20 Charles Hedrick edited comment on DIRAPI-350 at 7/11/19 3:54 PM: ----------------------------------------------------------------- Note that there's a reference in documentation to=C2=A0bindSaslGssApi(). It= does not appear to exist. I'm not sure quite what it would do. There are e= nough options for GSSAPI that creating a=C2=A0SaslGssApiRequest and using b= ind might make sense. was (Author: clhedrick): Note that there's a reference in documentation to=C2=A0bindSaslGssApi(). It= does not appear to exist. I'm not sure quite what it would do. There are e= nough options for GSSAPI that creating a=C2=A0SaslGssApiRequest and using b= ind might make sense. =C2=A0 There are some limitations to the Sun implementation of Kerberos that you m= ay or may not want to document:=C2=A0 There are potential thread-safety issues with krb5ConfFIlePath. This is set= in a system property. If you use=C2=A0setKrb5ConfFilePath, or realmName, k= dcHost, and kdcPort, this will affect the entire application. Even if you d= on't, the system variable is cleared. This could also affect the entire app= lication. Basically, if your program is threaded, you need to use a consist= ent setting for the krb5ConfFIlePath, not just in Kirby but in any code the= depends upon Kerberos. Even without multiple threads you could have an iss= ue if other code sets a value and expects it to remain unchanged. The same issue could occur with the system property=C2=A0=C2=A0javax.securi= ty.auth.useSubjectCredsOnly. This code sets it false. If code other than Ki= rby is using Kerberos, and relies on a different setting, there could be in= terference. As noted in my sample code, this implementation can only read credential ca= ches that are in files. Many operating systems today use KEYRING or KCM. If= your application needs to use=C2=A0existsing user credential caches withou= t prompting for a password, you may need to set=C2=A0 default_cc_name in /e= tc/krb5.conf to a file in /tmp. =C2=A0 > gssapi documentation > -------------------- > > Key: DIRAPI-350 > URL: https://issues.apache.org/jira/browse/DIRAPI-350 > Project: Directory Client API > Issue Type: Documentation > Affects Versions: 2.0.0.AM4 > Reporter: Charles Hedrick > Priority: Major > Attachments: gssapi.rtf > > > In the section on authentication, there is no usable documentation for GS= SAPI. Since GSSAPI is mostly used for Kerberos, you need sample code. Here = is some that works. > First, non-trivial Kerberos authentication requires configuration. Creati= ng a Kerberos configuration is not well documented elsewhere, so we include= here sample code. It is possible to put configuration information in a JAA= S login configuration file as well, but doing it programmatically provides = more flexibiity for appications that need to use more than one principal. > {code:java} > =C2=A0 =C2=A0 import javax.security.auth.login.Configuration; > =C2=A0 =C2=A0 class KerberosConfiguration extends Configuration { > =C2=A0 =C2=A0 =C2=A0 =C2=A0 private String cc; > =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0public KerberosConfiguration(String cc) = { > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 this.cc =3D cc; > =C2=A0 =C2=A0 =C2=A0 =C2=A0 } > =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0@Override > =C2=A0 =C2=A0 =C2=A0 =C2=A0 public AppConfigurationEntry[] getAppConfigur= ationEntry(String name) { > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Map options =3D= new HashMap(); > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 options.put("useKeyTab", "true"= ); > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 try { > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 options.put("prin= cipal", "host/" + InetAddress.getLocalHost().getCanonicalHostName() + "@MYK= ERBOSDOMAIN"); > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 } catch (Exception e){ > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 System.out.printl= n("Can't find our hostname " + e); > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 } > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 options.put("refreshKrb5Config"= , "true"); > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 options.put("keyTab", "/etc/krb= 5.keytab"); > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 options.put("debug", "true"); > =C2=A0=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 return new AppConfigurationEntry= []{ > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 new AppConfigurat= ionEntry("com.sun.security.auth.module.Krb5LoginModule", > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 A= ppConfigurationEntry.LoginModuleControlFlag.REQUIRED, > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 o= ptions),}; > =C2=A0 =C2=A0 =C2=A0 =C2=A0 } > =C2=A0} > =C2=A0public KerberosConfiguration makeKerberosConfiguration(String cc) { > =C2=A0 =C2=A0 =C2=A0 =C2=A0return new KerberosConfiguration(cc); > =C2=A0} > {code} > =C2=A0 > makeKerberosConfiguration(null) will return the configuration object need= ed for GSSAPI. The options in this example authenticate the host, based on = /etc/krb5.keytab. Other options are documented in the Java documentation fo= r the class=C2=A0Krb5LoginModule. Note that if you are going to use user cr= edentials, they should be stored in a file, not KEYRING or KCM. > =C2=A0 > The following code uses a configuration generated with the code above to = do a GSSAPI SASL bind. The assumption is that ldapNetworkConnection has alr= eady been opened using connect > {code:java} > =C2=A0 =C2=A0 =C2=A0 =C2=A0 Configuration sconfig =3D makeKerberosConfigu= ration(null); > =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0SaslGssApiRequest saslGssApiRequestt =3D= new SaslGssApiRequest(); > =C2=A0 =C2=A0 =C2=A0 =C2=A0 saslGssApiRequest.setLoginModuleConfiguration= ( sconfig); > =C2=A0 =C2=A0 =C2=A0 =C2=A0 saslGssApiRequest.setLoginContextName( "org.a= pache.directory.ldap.client.api.SaslGssApiRequest" ); > =C2=A0 =C2=A0 =C2=A0 =C2=A0 saslGssApiRequest.setMutualAuthentication( fa= lse ); > =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 BindResponse br; > =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 try { > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 br =3D ldapNetwor= kConnection.bind( saslGssApiRequest ); > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ldapNetworkConnec= tion.startTls(); > =C2=A0=C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0} catch ( LdapException e ) { > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 e.printStackTrace= (); > =C2=A0 =C2=A0 =C2=A0 =C2=A0 } > {code} > At this point you can do search or other operations. -- This message was sent by Atlassian JIRA (v7.6.14#76016) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org For additional commands, e-mail: dev-help@directory.apache.org