Is there a possible way to create LdapContext using keytab file instead of directly providing credentials? So let's assume that I currently have such piece of code
Hashtable<String,String> env=new Hashtable<String,String>();
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL,LDAP_PROVIDER_URL);
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,LDAP_PRINCIPAL);
env.put(Context.SECURITY_CREDENTIALS,LDAP_CREDENTIALS);
LdapContext ctx = new InitialLdapContext(env,null);
So as you can see I specify username and password manually. So what's the proper way to specify keytab file instead?
Yes, you can and this works very well. Have a look at my DirContextSource library it will do all the hard work for you:
DirContextSource.Builder builder = new DirContextSource.Builder("ldap://hostname");
builder.gssApiAuth("MyAlternativeEntryName");
DirContextSource contextSource = builder.build();
// try and catch block omitted for the sake of brevity,
// handle NamingException appropriately
DirContext context = contextSource.getDirContext();
// Perform operations
context.close();
Make sure that you have a login.conf
configured with the entry MyAlternativeEntryName
which looks like:
MyAlternativeEntryName {
com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true
principal="myprincipal@EXAMPLE.COM"
useKeyTab=true keyTab="/path/to/krb5.keytab" storeKey=true;
};
In short, not possible to do this - authorization is done by LDAP while keytab handles authentication. One can only create an LdapContext using LDAP-based methods. Keytabs and their invocation as a method and context fall under the Kerberos protocol which is a different protocol. While both are commonly used together on the major directory service systems on the market today (such as Active Directory, OpenLDAP, Red Hat IDM) you can't overlap in terms of having LdapContext using a keytab. Keytabs are commonly used in authentication methods, while authorization methods more typically falls under LDAP (groups or attributes). If you want to use a keytab file for Java-based authentication take a look at this: Creating a keytab for java clients
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.