首页 > 编程入门 文章详情

Kerberos SSO:高级流和ldap访问(Kerberos SSO : high level flow and ldap access)

编程入门 行业动态 更新时间:2024-10-25 21:17:57
Kerberos SSO:高级流和ldap访问(Kerberos SSO : high level flow and ldap access)

抓住整个流程有一些问题。 我正在尝试完成所有强大的kerberos SSO集成,其中auth用户信息直接从Windows中选取。

我在用着:

在tomcat 7中使用Spnego过滤器以获取IWA的用户名 java 1.6 后端/ Windows XP上的Windows Server 2003作为客户机进行测试

我对整个流程的理解是,在这样的高层次上:

我可以使用spnego通过tomcat过滤器获取用户名(这部分已经工作) 我通过LDAP(我使用Kerberos进行身份验证)进行单独调用,以检索我需要的有关登录用户的任何信息(例如它所属的组等)

我正在尝试使用apacheds 2来搜索LDAP部分。

问题(1):我的理解是否正确? 这通常是以不同的方式完成的吗? (也许使用spnego直接获取我需要的所有信息?)

现在,我正在尝试使用apacheds在后端登录LDAP,通过kerberos登录,以便检索用户信息,如下所示:

System.setProperty("sun.security.krb5.debug", "true"); LdapConnectionConfig config = new LdapConnectionConfig(); config.setLdapHost("example.com"); config.setLdapPort(389); config.setName("a_valid_username"); config.setCredentials("the_correct_password"); LdapNetworkConnection ldapNetworkConnection = new LdapNetworkConnection(config); SaslGssApiRequest saslGssApiRequest = new SaslGssApiRequest(); saslGssApiRequest.setRealmName("EXAMPLE.COM"); saslGssApiRequest.setKdcHost("example.com"); System.setProperty("java.security.auth.login.config", "C:\\workspace\\kerberos_stuff\\login.conf"); saslGssApiRequest.setLoginModuleConfiguration( Configuration.getConfiguration() ); saslGssApiRequest.setLoginContextName("spnego-client"); saslGssApiRequest.setKrb5ConfFilePath("C:\\workspace\\kerberos_stuff\\krb5.ini"); saslGssApiRequest.setMutualAuthentication(false); saslGssApiRequest.setUsername("a_valid_username"); saslGssApiRequest.setCredentials("the_correct_password"); ldapNetworkConnection.connect(); ldapNetworkConnection.bind(saslGssApiRequest);

我收到此错误:

KrbException: Server not found in Kerberos database (7) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61) at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185) at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294) at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106) at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162) at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175) at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3812) at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:178) at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1531) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:396) at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1527) at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1429) <edited out> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120) Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58) at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46) ... 22 more javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))] at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194) at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3812) at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:178) at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1531) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:396) at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1527) at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1429) <edited out> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120) Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7)) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162) at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175) ... 14 more Caused by: KrbException: Server not found in Kerberos database (7) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61) at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185) at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294) at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106) at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594) ... 17 more Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58) at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46) ... 22 more org.apache.directory.api.ldap.model.exception.LdapException: java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))] at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1537) at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1429) <edited out> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120) Caused by: java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))] at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:396) at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1527) ... 8 more Caused by: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))] at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3902) at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:178) at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1531) ... 11 more Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))] at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194) at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3812) ... 13 more Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7)) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162) at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175) ... 14 more Caused by: KrbException: Server not found in Kerberos database (7) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61) at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185) at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294) at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106) at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594) ... 17 more Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58) at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46) ... 22 more

我的问题是:

Q2:我认为ldap + kerberos是一个非常常用的组合; 我还认为apacheds是一个常用的库(如果不是,你们用什么用的?)。 但是,尽量尝试,我实际上并没有通过apached找到Kerberos的任何示例代码来访问ldap。 我通过apacheds找到了大量有关ldap客户端的信息,但没有使用kerberos身份验证。 这通常表明我做错了什么,或者我抓住了这个错误的一端(走向错误的方向)。 这有什么想法?

问题3:SaslGssApiRequest似乎是LdapNetworkConnection用于通过kerberos访问ldap的确切方式(就我所说的apached而言)。 但是,仅在谷歌上快速搜索此类名称时,会显示零有用信息(例如有关如何使用它的文档)。 是否有另一种更简单的方法来实现我的目标,使用apacheds(我意味着客户端)但没有SaslGssApiRequest?

问题4:为什么我上面的代码不起作用? 请注意,如果我更改用户或传递给无效的东西(我目前正在使用我的常规XP用户用户/传递登录到ldap),我会得到完全相同的错误。 是否需要在ldap的服务主体名称的某处指定(即使我已经指定了主机/端口)? 如果是这样,在哪里?

PS我的login.conf和krb5.ini文件与我在已经工作的spnego示例中使用的完全相同,因此它们应该是正确的。

Having a few problems grasping the entire flow. I'm trying to accomplish the all mighty kerberos SSO integration, where auth user information is picked directly from windows.

I'm using:

Spnego filter in tomcat 7 in order to obtain the username from IWA java 1.6 windows server 2003 on the backend / windows XP as client machine for tests

My understanding of the entire flow, is, on a high level like this :

I can use spnego to get the user name via that tomcat filter(this part is already working) I make a separate call via LDAP (on which I authenticate with Kerberos), to retrieve whatever information I need about the logged in user (such as groups it belongs to, etc)

I am trying to use apacheds 2 for searching the LDAP part.

Question (1): is my understanding correct ? Is this usually done in a different way? (Maybe using spnego to directly get all the info I need?)

Now, I'm trying to login in the backend, to LDAP, via kerberos, using apacheds, in order to retrieve the user info, like this :

System.setProperty("sun.security.krb5.debug", "true"); LdapConnectionConfig config = new LdapConnectionConfig(); config.setLdapHost("example.com"); config.setLdapPort(389); config.setName("a_valid_username"); config.setCredentials("the_correct_password"); LdapNetworkConnection ldapNetworkConnection = new LdapNetworkConnection(config); SaslGssApiRequest saslGssApiRequest = new SaslGssApiRequest(); saslGssApiRequest.setRealmName("EXAMPLE.COM"); saslGssApiRequest.setKdcHost("example.com"); System.setProperty("java.security.auth.login.config", "C:\\workspace\\kerberos_stuff\\login.conf"); saslGssApiRequest.setLoginModuleConfiguration( Configuration.getConfiguration() ); saslGssApiRequest.setLoginContextName("spnego-client"); saslGssApiRequest.setKrb5ConfFilePath("C:\\workspace\\kerberos_stuff\\krb5.ini"); saslGssApiRequest.setMutualAuthentication(false); saslGssApiRequest.setUsername("a_valid_username"); saslGssApiRequest.setCredentials("the_correct_password"); ldapNetworkConnection.connect(); ldapNetworkConnection.bind(saslGssApiRequest);

I get this error :

KrbException: Server not found in Kerberos database (7) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61) at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185) at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294) at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106) at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162) at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175) at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3812) at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:178) at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1531) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:396) at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1527) at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1429) <edited out> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120) Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58) at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46) ... 22 more javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))] at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194) at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3812) at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:178) at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1531) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:396) at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1527) at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1429) <edited out> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120) Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7)) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162) at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175) ... 14 more Caused by: KrbException: Server not found in Kerberos database (7) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61) at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185) at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294) at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106) at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594) ... 17 more Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58) at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46) ... 22 more org.apache.directory.api.ldap.model.exception.LdapException: java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))] at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1537) at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1429) <edited out> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120) Caused by: java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))] at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:396) at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1527) ... 8 more Caused by: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))] at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3902) at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:178) at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1531) ... 11 more Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))] at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194) at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3812) ... 13 more Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7)) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162) at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175) ... 14 more Caused by: KrbException: Server not found in Kerberos database (7) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61) at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185) at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294) at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106) at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594) ... 17 more Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58) at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46) ... 22 more

My questions are :

Q2: I would think that ldap+kerberos is a pretty used combination; I would also think that apacheds is a commonly used library for this purpose (if not, what do you people use?). However, try as I might, I don't really find any example code for Kerberos through apacheds, to access ldap. I find tons of information about ldap clients via apacheds, but not with kerberos authentication. This usually indicates that I'm doing something wrong, or I grasped the wrong end of the stick on this one (walking in the wrong direction). Any idea here ?

Q3: SaslGssApiRequest seems like the exact way in which LdapNetworkConnection is meant to be used in order to access ldap through kerberos (in terms of apacheds I mean). However, a quick search on google only for this class's name shows zero useful information (such as documentation on how it's meant to be used). Is there another, simpler way to accomplish my target, by using apacheds (clientside I mean) but without SaslGssApiRequest ?

Q4: Why my above code isn't working? Please note that if I change either user or pass to something invalid (I'm currently using my regular XP user user/pass to login to ldap), I get exactly the same error. Is there a need to specify somewhere the ldap's service principal name (even though I already specified host/port) ? If so, where ?

P.S. My login.conf and krb5.ini files are exactly the same that I use in the already working spnego example, so they should be correct.

最满意答案

如果有人有兴趣,我发现了问题。

似乎apacheds在使用SaslGssApiRequest时,它从config.setLdapHost(“example.com”)中的主机名构建服务的主体名称;

虽然在我的设置中,ldap.example.com和example.com指向同一台机器,但我的LDAP服务主体名称是LDAP / ldap.example.com,但是apached会尝试查找LDAP / example.com。

更改

config.setLdapHost( “example.com”);

config.setLdapHost( “ldap.example.com”);

解决了我的问题。

If anyone's interested, I found the problem.

It seems that apacheds, when using SaslGssApiRequest, it builds the service's principal name out of the hostname placed in config.setLdapHost("example.com");

Although in my setup, ldap.example.com and example.com point to the same machine, my LDAP service principal name was LDAP/ldap.example.com, but apacheds would attempt to find LDAP/example.com .

Changing

config.setLdapHost("example.com");

to

config.setLdapHost("ldap.example.com");

solved my problem.

更多推荐

本文发布于:2023-07-30 07:54:00,感谢您对本站的认可!
本文链接:https://www.elefans.com/category/jswz/34/1336736.html
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。
本文标签:高级   ldap   Kerberos   SSO   flow

发布评论

评论列表 (有 0 条评论)

最近发表

草根站长

>www.elefans.com

编程频道|电子爱好者 - 技术资讯及电子产品介绍!

热门文章

标签列表