Kerberos SSO:高级流和ldap访问
[英]Kerberos SSO : high level flow and ldap access
问题描述
掌握整个流程时遇到一些问题。 我正在尝试完成所有强大的kerberos SSO集成,其中直接从Windows中选择身份验证用户信息。
我正在使用:
- Tomcat 7中的Spnego过滤器,以便从IWA获取用户名
- Java 1.6
- 在后端将Windows Server 2003 / Windows XP作为客户端计算机进行测试
我对整个流程的理解大致是这样的:
- 我可以使用spnego通过该tomcat过滤器获取用户名(此部分已经在工作)
- 我通过LDAP(使用Kerberos进行身份验证)进行了单独的调用,以检索我需要的有关登录用户的任何信息(例如它所属的组等)
我正在尝试使用apacheds 2搜索LDAP部分。
问题(1):我的理解正确吗? 通常以其他方式完成此操作吗? (也许使用spnego直接获取我需要的所有信息?)
现在,我正在尝试使用apacheds通过kerberos在后端登录到LDAP,以便检索用户信息,如下所示:
System.setProperty("sun.security.krb5.debug", "true");
LdapConnectionConfig config = new LdapConnectionConfig();
config.setLdapHost("example.com");
config.setLdapPort(389);
config.setName("a_valid_username");
config.setCredentials("the_correct_password");
LdapNetworkConnection ldapNetworkConnection = new LdapNetworkConnection(config);
SaslGssApiRequest saslGssApiRequest = new SaslGssApiRequest();
saslGssApiRequest.setRealmName("EXAMPLE.COM");
saslGssApiRequest.setKdcHost("example.com");
System.setProperty("java.security.auth.login.config", "C:\\workspace\\kerberos_stuff\\login.conf");
saslGssApiRequest.setLoginModuleConfiguration( Configuration.getConfiguration() );
saslGssApiRequest.setLoginContextName("spnego-client");
saslGssApiRequest.setKrb5ConfFilePath("C:\\workspace\\kerberos_stuff\\krb5.ini");
saslGssApiRequest.setMutualAuthentication(false);
saslGssApiRequest.setUsername("a_valid_username");
saslGssApiRequest.setCredentials("the_correct_password");
ldapNetworkConnection.connect();
ldapNetworkConnection.bind(saslGssApiRequest);
我收到此错误:
KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3812)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:178)
at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1531)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1527)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1429)
<edited out>
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
... 22 more
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3812)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:178)
at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1531)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1527)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1429)
<edited out>
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
... 14 more
Caused by: KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
... 17 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
... 22 more
org.apache.directory.api.ldap.model.exception.LdapException: java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1537)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1429)
<edited out>
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1527)
... 8 more
Caused by: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3902)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:178)
at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1531)
... 11 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3812)
... 13 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
... 14 more
Caused by: KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
... 17 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
... 22 more
我的问题是:
问题2:我认为ldap + kerberos是相当常用的组合; 我也认为apacheds是用于此目的的常用库(如果没有,您使用的是什么?)。 但是,请尽我所能尝试,我实际上并没有找到通过apaps访问ldap的Kerberos示例代码。 我通过修补程序找到了有关ldap客户端的大量信息,但没有使用Kerberos身份验证。 这通常表示我做错了什么,或者我抓住了一根棍子的错误末端(走错了方向)。 这里有什么主意吗?
Q3:SaslGssApiRequest似乎是要使用LdapNetworkConnection来通过kerberos访问ldap的确切方式(就我而言,是指apaps)。 但是,仅在Google上快速搜索此类的名称即可显示零有用的信息(例如有关如何使用该名称的文档)。 是否有另一种更简单的方法来实现我的目标,即使用apapds(我是说客户端)却没有SaslGssApiRequest?
Q4:为什么我上面的代码不起作用? 请注意,如果我更改用户或传递给无效用户(我目前使用的是常规XP用户user / pass来登录ldap),则会收到完全相同的错误。 是否需要在某个地方指定ldap的服务主体名称(即使我已经指定了主机/端口)? 如果是这样,在哪里?
PS我的login.conf和krb5.ini文件与在已经运行的spnego示例中使用的文件完全相同,因此它们应该是正确的。
1 个解决方案
解决方案1
0 已采纳 2013-07-18 15:23:05
如果有人感兴趣,我发现了问题。
似乎在使用SaslGssApiRequest时,它会根据放置在config.setLdapHost(“ example.com”);中的主机名来构建服务的主体名。
尽管在我的设置中ldap.example.com和example.com指向同一台机器,但是我的LDAP服务主体名称是LDAP / ldap.example.com,但是经过分配的人会尝试找到LDAP / example.com。
改变中
config.setLdapHost(“ example.com”);
至
config.setLdapHost(“ ldap.example.com”);
解决了我的问题。
Kerberos SSO集成
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.