stackoom
  简体   繁体   中英

How to authenticate in LDAP server using keytab

 原文  2018-01-15 12:21:08       java/ ldap/ jndi/ kerberos/ gssapi

Question

Is there a possible way to create LdapContext using keytab file instead of directly providing credentials? So let's assume that I currently have such piece of code 

Hashtable<String,String> env=new Hashtable<String,String>();
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL,LDAP_PROVIDER_URL);
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,LDAP_PRINCIPAL);
env.put(Context.SECURITY_CREDENTIALS,LDAP_CREDENTIALS);
LdapContext ctx = new InitialLdapContext(env,null);

So as you can see I specify username and password manually. So what's the proper way to specify keytab file instead?

2 answers

solution1
 2 ACCPTED  2018-01-30 15:38:20

Yes, you can and this works very well. Have a look at my DirContextSource library it will do all the hard work for you: 

DirContextSource.Builder builder = new DirContextSource.Builder("ldap://hostname");
builder.gssApiAuth("MyAlternativeEntryName");
DirContextSource contextSource = builder.build();
// try and catch block omitted for the sake of brevity,
// handle NamingException appropriately
DirContext context = contextSource.getDirContext();
// Perform operations
context.close();

Make sure that you have a login.conf configured with the entry MyAlternativeEntryName which looks like: 

MyAlternativeEntryName {
        com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true
        principal="myprincipal@EXAMPLE.COM"
        useKeyTab=true keyTab="/path/to/krb5.keytab" storeKey=true;
};

solution2
 1  2018-01-20 13:13:03

In short, not possible to do this - authorization is done by LDAP while keytab handles authentication. One can only create an LdapContext using LDAP-based methods. Keytabs and their invocation as a method and context fall under the Kerberos protocol which is a different protocol. While both are commonly used together on the major directory service systems on the market today (such as Active Directory, OpenLDAP, Red Hat IDM) you can't overlap in terms of having LdapContext using a keytab. Keytabs are commonly used in authentication methods, while authorization methods more typically falls under LDAP (groups or attributes). If you want to use a keytab file for Java-based authentication take a look at this: Creating a keytab for java clients

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question SpringBoot, how to Authenticate with LDAP without using ldif? How to authenticate the ldap server while application load login page? How authenticate and search user in Active Directory using Spring Ldap How authenticate user in Jboss with LDAP using userName, not CN How to Authenticate to LDAP using JNDI and Digest-MD5 LDAP: How to authenticate user with sAMAccountName? LDAP + Spring: how to correctly authenticate? How to know the version of ldap using ldap server url Using String.equals compare password and authenticate user against LDAP server, Does it make any sense? Authenticate via LDAP fails when using TLS
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM