java - Kerberos SSO : high level flow and ldap access -


having few problems grasping entire flow. i'm trying accomplish mighty kerberos sso integration, auth user information picked directly windows.

i'm using:

  • spnego filter in tomcat 7 in order obtain username iwa
  • java 1.6
  • windows server 2003 on backend / windows xp client machine tests

my understanding of entire flow, is, on high level :

  • i can use spnego user name via tomcat filter(this part working)
  • i make separate call via ldap (on authenticate kerberos), retrieve whatever information need logged in user (such groups belongs to, etc)

i trying use apacheds 2 searching ldap part.

question (1): understanding correct ? done in different way? (maybe using spnego directly info need?)

now, i'm trying login in backend, ldap, via kerberos, using apacheds, in order retrieve user info, :

    system.setproperty("sun.security.krb5.debug", "true");      ldapconnectionconfig config = new ldapconnectionconfig();     config.setldaphost("example.com");     config.setldapport(389);     config.setname("a_valid_username");     config.setcredentials("the_correct_password");      ldapnetworkconnection ldapnetworkconnection = new ldapnetworkconnection(config);     saslgssapirequest saslgssapirequest = new saslgssapirequest();     saslgssapirequest.setrealmname("example.com");     saslgssapirequest.setkdchost("example.com");      system.setproperty("java.security.auth.login.config", "c:\\workspace\\kerberos_stuff\\login.conf");     saslgssapirequest.setloginmoduleconfiguration( configuration.getconfiguration() );     saslgssapirequest.setlogincontextname("spnego-client");      saslgssapirequest.setkrb5conffilepath("c:\\workspace\\kerberos_stuff\\krb5.ini");     saslgssapirequest.setmutualauthentication(false);     saslgssapirequest.setusername("a_valid_username");     saslgssapirequest.setcredentials("the_correct_password");      ldapnetworkconnection.connect();     ldapnetworkconnection.bind(saslgssapirequest);

i error :

krbexception: server not found in kerberos database (7) @ sun.security.krb5.krbtgsrep.<init>(krbtgsrep.java:61) @ sun.security.krb5.krbtgsreq.getreply(krbtgsreq.java:185) @ sun.security.krb5.internal.credentialsutil.servicecreds(credentialsutil.java:294) @ sun.security.krb5.internal.credentialsutil.acquireservicecreds(credentialsutil.java:106) @ sun.security.krb5.credentials.acquireservicecreds(credentials.java:557) @ sun.security.jgss.krb5.krb5context.initseccontext(krb5context.java:594) @ sun.security.jgss.gsscontextimpl.initseccontext(gsscontextimpl.java:230) @ sun.security.jgss.gsscontextimpl.initseccontext(gsscontextimpl.java:162) @ com.sun.security.sasl.gsskerb.gsskrb5client.evaluatechallenge(gsskrb5client.java:175) @ org.apache.directory.ldap.client.api.ldapnetworkconnection.bindsasl(ldapnetworkconnection.java:3812) @ org.apache.directory.ldap.client.api.ldapnetworkconnection.access$200(ldapnetworkconnection.java:178) @ org.apache.directory.ldap.client.api.ldapnetworkconnection$2.run(ldapnetworkconnection.java:1531) @ java.security.accesscontroller.doprivileged(native method) @ javax.security.auth.subject.doas(subject.java:396) @ org.apache.directory.ldap.client.api.ldapnetworkconnection.bindasync(ldapnetworkconnection.java:1527) @ org.apache.directory.ldap.client.api.ldapnetworkconnection.bind(ldapnetworkconnection.java:1429) <edited out> @ sun.reflect.nativemethodaccessorimpl.invoke0(native method) @ sun.reflect.nativemethodaccessorimpl.invoke(nativemethodaccessorimpl.java:39) @ sun.reflect.delegatingmethodaccessorimpl.invoke(delegatingmethodaccessorimpl.java:25) @ java.lang.reflect.method.invoke(method.java:597) @ com.intellij.rt.execution.application.appmain.main(appmain.java:120) caused by: krbexception: identifier doesn't match expected value (906) @ sun.security.krb5.internal.kdcrep.init(kdcrep.java:133) @ sun.security.krb5.internal.tgsrep.init(tgsrep.java:58) @ sun.security.krb5.internal.tgsrep.<init>(tgsrep.java:53) @ sun.security.krb5.krbtgsrep.<init>(krbtgsrep.java:46) ... 22 more javax.security.sasl.saslexception: gss initiate failed [caused gssexception: no valid credentials provided (mechanism level: server not found in kerberos database (7))] @ com.sun.security.sasl.gsskerb.gsskrb5client.evaluatechallenge(gsskrb5client.java:194) @ org.apache.directory.ldap.client.api.ldapnetworkconnection.bindsasl(ldapnetworkconnection.java:3812) @ org.apache.directory.ldap.client.api.ldapnetworkconnection.access$200(ldapnetworkconnection.java:178) @ org.apache.directory.ldap.client.api.ldapnetworkconnection$2.run(ldapnetworkconnection.java:1531) @ java.security.accesscontroller.doprivileged(native method) @ javax.security.auth.subject.doas(subject.java:396) @ org.apache.directory.ldap.client.api.ldapnetworkconnection.bindasync(ldapnetworkconnection.java:1527) @ org.apache.directory.ldap.client.api.ldapnetworkconnection.bind(ldapnetworkconnection.java:1429) <edited out> @ sun.reflect.nativemethodaccessorimpl.invoke0(native method) @ sun.reflect.nativemethodaccessorimpl.invoke(nativemethodaccessorimpl.java:39) @ sun.reflect.delegatingmethodaccessorimpl.invoke(delegatingmethodaccessorimpl.java:25) @ java.lang.reflect.method.invoke(method.java:597) @ com.intellij.rt.execution.application.appmain.main(appmain.java:120) caused by: gssexception: no valid credentials provided (mechanism level: server not found in kerberos database (7)) @ sun.security.jgss.krb5.krb5context.initseccontext(krb5context.java:663) @ sun.security.jgss.gsscontextimpl.initseccontext(gsscontextimpl.java:230) @ sun.security.jgss.gsscontextimpl.initseccontext(gsscontextimpl.java:162) @ com.sun.security.sasl.gsskerb.gsskrb5client.evaluatechallenge(gsskrb5client.java:175) ... 14 more caused by: krbexception: server not found in kerberos database (7) @ sun.security.krb5.krbtgsrep.<init>(krbtgsrep.java:61) @ sun.security.krb5.krbtgsreq.getreply(krbtgsreq.java:185) @ sun.security.krb5.internal.credentialsutil.servicecreds(credentialsutil.java:294) @ sun.security.krb5.internal.credentialsutil.acquireservicecreds(credentialsutil.java:106) @ sun.security.krb5.credentials.acquireservicecreds(credentials.java:557) @ sun.security.jgss.krb5.krb5context.initseccontext(krb5context.java:594) ... 17 more caused by: krbexception: identifier doesn't match expected value (906) @ sun.security.krb5.internal.kdcrep.init(kdcrep.java:133) @ sun.security.krb5.internal.tgsrep.init(tgsrep.java:58) @ sun.security.krb5.internal.tgsrep.<init>(tgsrep.java:53) @ sun.security.krb5.krbtgsrep.<init>(krbtgsrep.java:46) ... 22 more org.apache.directory.api.ldap.model.exception.ldapexception:   java.security.privilegedactionexception: org.apache.directory.api.ldap.model.exception.ldapexception: javax.security.sasl.saslexception: gss initiate failed [caused gssexception: no valid credentials provided (mechanism level: server not found in kerberos database (7))] @ org.apache.directory.ldap.client.api.ldapnetworkconnection.bindasync(ldapnetworkconnection.java:1537) @ org.apache.directory.ldap.client.api.ldapnetworkconnection.bind(ldapnetworkconnection.java:1429) <edited out> @ sun.reflect.nativemethodaccessorimpl.invoke0(native method) @ sun.reflect.nativemethodaccessorimpl.invoke(nativemethodaccessorimpl.java:39) @ sun.reflect.delegatingmethodaccessorimpl.invoke(delegatingmethodaccessorimpl.java:25) @ java.lang.reflect.method.invoke(method.java:597) @ com.intellij.rt.execution.application.appmain.main(appmain.java:120) caused by: java.security.privilegedactionexception: org.apache.directory.api.ldap.model.exception.ldapexception: javax.security.sasl.saslexception: gss initiate failed [caused gssexception: no valid credentials provided (mechanism level: server not found in kerberos database (7))] @ java.security.accesscontroller.doprivileged(native method) @ javax.security.auth.subject.doas(subject.java:396) @ org.apache.directory.ldap.client.api.ldapnetworkconnection.bindasync(ldapnetworkconnection.java:1527) ... 8 more caused by: org.apache.directory.api.ldap.model.exception.ldapexception: javax.security.sasl.saslexception: gss initiate failed [caused gssexception: no valid credentials provided (mechanism level: server not found in kerberos database (7))] @ org.apache.directory.ldap.client.api.ldapnetworkconnection.bindsasl(ldapnetworkconnection.java:3902) @ org.apache.directory.ldap.client.api.ldapnetworkconnection.access$200(ldapnetworkconnection.java:178) @ org.apache.directory.ldap.client.api.ldapnetworkconnection$2.run(ldapnetworkconnection.java:1531) ... 11 more caused by: javax.security.sasl.saslexception: gss initiate failed [caused gssexception: no valid credentials provided (mechanism level: server not found in kerberos database (7))] @ com.sun.security.sasl.gsskerb.gsskrb5client.evaluatechallenge(gsskrb5client.java:194) @ org.apache.directory.ldap.client.api.ldapnetworkconnection.bindsasl(ldapnetworkconnection.java:3812) ... 13 more caused by: gssexception: no valid credentials provided (mechanism level: server not found in kerberos database (7)) @ sun.security.jgss.krb5.krb5context.initseccontext(krb5context.java:663) @ sun.security.jgss.gsscontextimpl.initseccontext(gsscontextimpl.java:230) @ sun.security.jgss.gsscontextimpl.initseccontext(gsscontextimpl.java:162) @ com.sun.security.sasl.gsskerb.gsskrb5client.evaluatechallenge(gsskrb5client.java:175) ... 14 more caused by: krbexception: server not found in kerberos database (7) @ sun.security.krb5.krbtgsrep.<init>(krbtgsrep.java:61) @ sun.security.krb5.krbtgsreq.getreply(krbtgsreq.java:185) @ sun.security.krb5.internal.credentialsutil.servicecreds(credentialsutil.java:294) @ sun.security.krb5.internal.credentialsutil.acquireservicecreds(credentialsutil.java:106) @ sun.security.krb5.credentials.acquireservicecreds(credentials.java:557) @ sun.security.jgss.krb5.krb5context.initseccontext(krb5context.java:594) ... 17 more caused by: krbexception: identifier doesn't match expected value (906) @ sun.security.krb5.internal.kdcrep.init(kdcrep.java:133) @ sun.security.krb5.internal.tgsrep.init(tgsrep.java:58) @ sun.security.krb5.internal.tgsrep.<init>(tgsrep.java:53) @ sun.security.krb5.krbtgsrep.<init>(krbtgsrep.java:46) ... 22 more

my questions :

q2: think ldap+kerberos pretty used combination; think apacheds commonly used library purpose (if not, people use?). however, try might, don't find example code kerberos through apacheds, access ldap. find tons of information ldap clients via apacheds, not kerberos authentication. indicates i'm doing wrong, or grasped wrong end of stick on 1 (walking in wrong direction). idea here ?

q3: saslgssapirequest seems exact way in ldapnetworkconnection meant used in order access ldap through kerberos (in terms of apacheds mean). however, quick search on google class's name shows 0 useful information (such documentation on how it's meant used). there another, simpler way accomplish target, using apacheds (clientside mean) without saslgssapirequest ?

q4: why above code isn't working? please note if change either user or pass invalid (i'm using regular xp user user/pass login ldap), same error. there need specify somewhere ldap's service principal name (even though specified host/port) ? if so, ?

p.s. login.conf , krb5.ini files same use in working spnego example, should correct.

if anyone's interested, found problem.

it seems apacheds, when using saslgssapirequest, builds service's principal name out of hostname placed in config.setldaphost("example.com");

although in setup, ldap.example.com , example.com point same machine, ldap service principal name ldap/ldap.example.com, apacheds attempt find ldap/example.com .

changing

config.setldaphost("example.com");

to

config.setldaphost("ldap.example.com");

solved problem.


Comments

Post a Comment

Popular posts from this blog

php - Calling a template part from a post -

i include iframe within post in wordpress. located inside content of post, meaning cannot in post template file, otherwise either before or after. i'd add facebook plugin within posts: <div id="socialwrap"><div class="fb-like" data-href="http://onlinearizonahomes.info" data-send="true" data-width="450" data-show-faces="true" data-font="arial"></div></div> i thinking of calling template part within post <?php get_template_part( 'social' ); ?> cannot use php within post without plugin (i'd avoid using plugin this). an alternative using javascript create html in post, seems unnecessary use of javascript. what best way add html within wordpress post? you can use shortcode. add functions.php function cudjex_fbshare( $atts, $content = null ) { global $post; $link = get_permalink($post->id); return '<div id="socialwrap...
Read more

Firefox SVG shape not printing when it has stroke -

Image
i having issue svg shapes have stroke , trying them print in firefox. this simplest example: <svg xmlns="http://www.w3.org/2000/svg" version="1.1" xmlns:xlink="http://www.w3.org/1999/xlink"> <rect x="0" y="0" rx="15" ry="15" width="300" height="400" style="stroke:black;stroke-width:5;" fill="black" /> <circle id="firstcircle" cx="50" cy="50" r="30" stroke="black" stroke-width="2" fill="white" style="opacity:0.75;"/> <circle id="secondcircle" cx="50" cy="150" r="30" fill="white" style="opacity:0.75;"/> </svg> when try , print first shape 1 of 2 things: it not show @ all it shows off center in bounding box. the second shape no stroke shows expected, expected. when displaying on scre...
Read more

How to mention the localhost in android -

i trying call localhost in android application. unfortunately not possible used several methods emulator local host http://10.0.2.2/android/dbconnection.php and network ip address http://192.168.1.xx/android/dbconnection.php also http://localhost:8080/android/dbconnection.php but nothing connected localhost. purpose refer stackoverflow answers not working i facing same problem when worked on localhost. referred stackoverflow answer got solution create new emulator works fine in new emulator.
Read more