Kerberos SSO:高級流和ldap訪問
[英]Kerberos SSO : high level flow and ldap access
問題描述
掌握整個流程時遇到一些問題。 我正在嘗試完成所有強大的kerberos SSO集成,其中直接從Windows中選擇身份驗證用戶信息。
我正在使用:
- Tomcat 7中的Spnego過濾器,以便從IWA獲取用戶名
- Java 1.6
- 在后端將Windows Server 2003 / Windows XP作為客戶端計算機進行測試
我對整個流程的理解大致是這樣的:
- 我可以使用spnego通過該tomcat過濾器獲取用戶名(此部分已經在工作)
- 我通過LDAP(使用Kerberos進行身份驗證)進行了單獨的調用,以檢索我需要的有關登錄用戶的任何信息(例如它所屬的組等)
我正在嘗試使用apacheds 2搜索LDAP部分。
問題(1):我的理解正確嗎? 通常以其他方式完成此操作嗎? (也許使用spnego直接獲取我需要的所有信息?)
現在,我正在嘗試使用apacheds通過kerberos在后端登錄到LDAP,以便檢索用戶信息,如下所示:
System.setProperty("sun.security.krb5.debug", "true");
LdapConnectionConfig config = new LdapConnectionConfig();
config.setLdapHost("example.com");
config.setLdapPort(389);
config.setName("a_valid_username");
config.setCredentials("the_correct_password");
LdapNetworkConnection ldapNetworkConnection = new LdapNetworkConnection(config);
SaslGssApiRequest saslGssApiRequest = new SaslGssApiRequest();
saslGssApiRequest.setRealmName("EXAMPLE.COM");
saslGssApiRequest.setKdcHost("example.com");
System.setProperty("java.security.auth.login.config", "C:\\workspace\\kerberos_stuff\\login.conf");
saslGssApiRequest.setLoginModuleConfiguration( Configuration.getConfiguration() );
saslGssApiRequest.setLoginContextName("spnego-client");
saslGssApiRequest.setKrb5ConfFilePath("C:\\workspace\\kerberos_stuff\\krb5.ini");
saslGssApiRequest.setMutualAuthentication(false);
saslGssApiRequest.setUsername("a_valid_username");
saslGssApiRequest.setCredentials("the_correct_password");
ldapNetworkConnection.connect();
ldapNetworkConnection.bind(saslGssApiRequest);
我收到此錯誤:
KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3812)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:178)
at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1531)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1527)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1429)
<edited out>
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
... 22 more
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3812)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:178)
at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1531)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1527)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1429)
<edited out>
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
... 14 more
Caused by: KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
... 17 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
... 22 more
org.apache.directory.api.ldap.model.exception.LdapException: java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1537)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1429)
<edited out>
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1527)
... 8 more
Caused by: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3902)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:178)
at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1531)
... 11 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3812)
... 13 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
... 14 more
Caused by: KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
... 17 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
... 22 more
我的問題是:
問題2:我認為ldap + kerberos是相當常用的組合; 我也認為apacheds是用於此目的的常用庫(如果沒有,您使用的是什么?)。 但是,請盡我所能嘗試,我實際上並沒有找到通過apaps訪問ldap的Kerberos示例代碼。 我通過修補程序找到了有關ldap客戶端的大量信息,但沒有使用Kerberos身份驗證。 這通常表示我做錯了什么,或者我抓住了一根棍子的錯誤末端(走錯了方向)。 這里有什么主意嗎?
Q3:SaslGssApiRequest似乎是要使用LdapNetworkConnection來通過kerberos訪問ldap的確切方式(就我而言,是指apaps)。 但是,僅在Google上快速搜索此類的名稱即可顯示零有用的信息(例如有關如何使用該名稱的文檔)。 是否有另一種更簡單的方法來實現我的目標,即使用apapds(我是說客戶端)卻沒有SaslGssApiRequest?
Q4:為什么我上面的代碼不起作用? 請注意,如果我更改用戶或傳遞給無效用戶(我目前使用的是常規XP用戶user / pass來登錄ldap),則會收到完全相同的錯誤。 是否需要在某個地方指定ldap的服務主體名稱(即使我已經指定了主機/端口)? 如果是這樣,在哪里?
PS我的login.conf和krb5.ini文件與在已經運行的spnego示例中使用的文件完全相同,因此它們應該是正確的。
1 個解決方案
解決方案1
0 已采納 2013-07-18 15:23:05
如果有人感興趣,我發現了問題。
似乎在使用SaslGssApiRequest時,它會根據放置在config.setLdapHost(“ example.com”);中的主機名來構建服務的主體名。
盡管在我的設置中ldap.example.com和example.com指向同一台機器,但是我的LDAP服務主體名稱是LDAP / ldap.example.com,但是經過分配的人會嘗試找到LDAP / example.com。
改變中
config.setLdapHost(“ example.com”);
至
config.setLdapHost(“ ldap.example.com”);
解決了我的問題。
Kerberos SSO集成
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.