Kerberos SSO：高级流和ldap访问

Question

Having a few problems grasping the entire flow. 掌握整个流程时遇到一些问题。 I'm trying to accomplish the all mighty kerberos SSO integration, where auth user information is picked directly from windows. 我正在尝试完成所有强大的kerberos SSO集成，其中直接从Windows中选择身份验证用户信息。

I'm using: 我正在使用：

Spnego filter in tomcat 7 in order to obtain the username from IWA Tomcat 7中的Spnego过滤器，以便从IWA获取用户名
java 1.6 Java 1.6
windows server 2003 on the backend / windows XP as client machine for tests 在后端将Windows Server 2003 / Windows XP作为客户端计算机进行测试

My understanding of the entire flow, is, on a high level like this : 我对整个流程的理解大致是这样的：

I can use spnego to get the user name via that tomcat filter(this part is already working) 我可以使用spnego通过该tomcat过滤器获取用户名（此部分已经在工作）
I make a separate call via LDAP (on which I authenticate with Kerberos), to retrieve whatever information I need about the logged in user (such as groups it belongs to, etc) 我通过LDAP（使用Kerberos进行身份验证）进行了单独的调用，以检索我需要的有关登录用户的任何信息（例如它所属的组等）

I am trying to use apacheds 2 for searching the LDAP part. 我正在尝试使用apacheds 2搜索LDAP部分。

Question (1): is my understanding correct ? 问题（1）：我的理解正确吗？ Is this usually done in a different way? 通常以其他方式完成此操作吗？ (Maybe using spnego to directly get all the info I need?) （也许使用spnego直接获取我需要的所有信息？）

Now, I'm trying to login in the backend, to LDAP, via kerberos, using apacheds, in order to retrieve the user info, like this : 现在，我正在尝试使用apacheds通过kerberos在后端登录到LDAP，以便检索用户信息，如下所示：

    System.setProperty("sun.security.krb5.debug", "true");

    LdapConnectionConfig config = new LdapConnectionConfig();
    config.setLdapHost("example.com");
    config.setLdapPort(389);
    config.setName("a_valid_username");
    config.setCredentials("the_correct_password");

    LdapNetworkConnection ldapNetworkConnection = new LdapNetworkConnection(config);
    SaslGssApiRequest saslGssApiRequest = new SaslGssApiRequest();
    saslGssApiRequest.setRealmName("EXAMPLE.COM");
    saslGssApiRequest.setKdcHost("example.com");

    System.setProperty("java.security.auth.login.config", "C:\\workspace\\kerberos_stuff\\login.conf");
    saslGssApiRequest.setLoginModuleConfiguration( Configuration.getConfiguration() );
    saslGssApiRequest.setLoginContextName("spnego-client");

    saslGssApiRequest.setKrb5ConfFilePath("C:\\workspace\\kerberos_stuff\\krb5.ini");
    saslGssApiRequest.setMutualAuthentication(false);
    saslGssApiRequest.setUsername("a_valid_username");
    saslGssApiRequest.setCredentials("the_correct_password");

    ldapNetworkConnection.connect();
    ldapNetworkConnection.bind(saslGssApiRequest);

I get this error : 我收到此错误：

KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3812)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:178)
at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1531)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1527)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1429)
<edited out>
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
... 22 more
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3812)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:178)
at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1531)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1527)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1429)
<edited out>
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
... 14 more
Caused by: KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
... 17 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
... 22 more
org.apache.directory.api.ldap.model.exception.LdapException:   java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1537)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1429)
<edited out>
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1527)
... 8 more
Caused by: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3902)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:178)
at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1531)
... 11 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3812)
... 13 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
... 14 more
Caused by: KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
... 17 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
... 22 more

My questions are : 我的问题是：

Q2: I would think that ldap+kerberos is a pretty used combination; 问题2：我认为ldap + kerberos是相当常用的组合； I would also think that apacheds is a commonly used library for this purpose (if not, what do you people use?). 我也认为apacheds是用于此目的的常用库（如果没有，您使用的是什么？）。 However, try as I might, I don't really find any example code for Kerberos through apacheds, to access ldap. 但是，请尽我所能尝试，我实际上并没有找到通过apaps访问ldap的Kerberos示例代码。 I find tons of information about ldap clients via apacheds, but not with kerberos authentication. 我通过修补程序找到了有关ldap客户端的大量信息，但没有使用Kerberos身份验证。 This usually indicates that I'm doing something wrong, or I grasped the wrong end of the stick on this one (walking in the wrong direction). 这通常表示我做错了什么，或者我抓住了一根棍子的错误末端（走错了方向）。 Any idea here ? 这里有什么主意吗？

Q3: SaslGssApiRequest seems like the exact way in which LdapNetworkConnection is meant to be used in order to access ldap through kerberos (in terms of apacheds I mean). Q3：SaslGssApiRequest似乎是要使用LdapNetworkConnection来通过kerberos访问ldap的确切方式（就我而言，是指apaps）。 However, a quick search on google only for this class's name shows zero useful information (such as documentation on how it's meant to be used). 但是，仅在Google上快速搜索此类的名称即可显示零有用的信息（例如有关如何使用该名称的文档）。 Is there another, simpler way to accomplish my target, by using apacheds (clientside I mean) but without SaslGssApiRequest ? 是否有另一种更简单的方法来实现我的目标，即使用apapds（我是说客户端）却没有SaslGssApiRequest？

Q4: Why my above code isn't working? Q4：为什么我上面的代码不起作用？ Please note that if I change either user or pass to something invalid (I'm currently using my regular XP user user/pass to login to ldap), I get exactly the same error. 请注意，如果我更改用户或传递给无效用户（我目前使用的是常规XP用户user / pass来登录ldap），则会收到完全相同的错误。 Is there a need to specify somewhere the ldap's service principal name (even though I already specified host/port) ? 是否需要在某个地方指定ldap的服务主体名称（即使我已经指定了主机/端口）？ If so, where ? 如果是这样，在哪里？

PS My login.conf and krb5.ini files are exactly the same that I use in the already working spnego example, so they should be correct. PS我的login.conf和krb5.ini文件与在已经运行的spnego示例中使用的文件完全相同，因此它们应该是正确的。

Answer 1

If anyone's interested, I found the problem. 如果有人感兴趣，我发现了问题。

It seems that apacheds, when using SaslGssApiRequest, it builds the service's principal name out of the hostname placed in config.setLdapHost("example.com"); 似乎在使用SaslGssApiRequest时，它会根据放置在config.setLdapHost（“ example.com”）;中的主机名来构建服务的主体名。

Although in my setup, ldap.example.com and example.com point to the same machine, my LDAP service principal name was LDAP/ldap.example.com, but apacheds would attempt to find LDAP/example.com . 尽管在我的设置中ldap.example.com和example.com指向同一台机器，但是我的LDAP服务主体名称是LDAP / ldap.example.com，但是经过分配的人会尝试找到LDAP / example.com。

Changing 改变中

config.setLdapHost("example.com"); config.setLdapHost（“ example.com”）;

to 至

config.setLdapHost("ldap.example.com"); config.setLdapHost（“ ldap.example.com”）;

solved my problem. 解决了我的问题。

Kerberos SSO：高级流和ldap访问

问题描述

1 个解决方案

解决方案1
0 已采纳 2013-07-18 15:23:05

Kerberos SSO：高级流和ldap访问

问题描述

1 个解决方案

解决方案1 0 已采纳 2013-07-18 15:23:05

解决方案1
0 已采纳 2013-07-18 15:23:05