Accessing LDAP service using pure java stand-alone client in kerberos environment
1,113 views
Skip to first unread message
gfletscher
Aug 28, 2016, 9:09:53 AM8/28/16
to waffle
Hello,
Content of gssapi-waffle.conf:
I am working on a Windows 7 machine which is logged-in to a domain using Kerberos.
Now, I am trying to log-on to a LDAP-Service to perform some operations using my user credentials.
My understanding is, that with waffle I can access the Windows-built in ticket cache to obtain the TGT with which in return I can
obtain a ticket for the aforementioned LDAP-Service from the KDC.
obtain a ticket for the aforementioned LDAP-Service from the KDC.
With that in mind, I am trying to obtain a LDAPContext to perform my desired operations upon - but currently I just fail (which I think, is due to my poor understanding of the whole
process). What do I have to do to get an InitialLdapContext in method testLdapServiceLogin()? In which way does this method need to be changed?
process). What do I have to do to get an InitialLdapContext in method testLdapServiceLogin()? In which way does this method need to be changed?
Thanks for any advice!
Best
George
import java.security.PrivilegedAction;import java.util.Properties;
import javax.naming.NamingException;import javax.naming.ldap.InitialLdapContext;import javax.naming.ldap.LdapContext;import javax.security.auth.Subject;import javax.security.auth.login.LoginContext;import javax.security.auth.login.LoginException;
import com.sun.jna.platform.win32.Sspi.SecBufferDesc;
import waffle.windows.auth.IWindowsCredentialsHandle;import waffle.windows.auth.impl.WindowsAccountImpl;import waffle.windows.auth.impl.WindowsCredentialsHandleImpl;import waffle.windows.auth.impl.WindowsSecurityContextImpl;
public class Example { private final Properties env; public static void main(String[] args) { new Example(); } public Example() { env = new Properties(); env.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory"); env.put("java.naming.referral", "ignore"); env.put("javax.security.sasl.qop", "auth-conf"); env.put("java.naming.provider.url", "ldap://<host>.<realm>:389"); env.put("java.naming.security.authentication", "GSSAPI"); System.setProperty("java.security.auth.login.config", "<path>\\gssapi-waffle.conf"); System.setProperty("java.security.auth.policy", "<path>\\jaas.policy"); byte[] serviceTicket = getServiceTicketSSPI("LDAP/<host>.<realm>"); env.put("javax.security.auth.kerberos.KerberosTicket", serviceTicket);
testLdapServiceLogin(); }
private void testLdapServiceLogin() { LoginContext lc = null; try { lc = new LoginContext("Jaas"); lc.login(); LdapContext ldapContext = (LdapContext) Subject.doAs(lc.getSubject(), new PrivilegedAction<LdapContext>() {
@Override public LdapContext run() { InitialLdapContext result = null; try{ result = new InitialLdapContext(env, null); }catch(NamingException ex){ ex.printStackTrace(); } return result; } }); System.out.println(ldapContext); } catch (LoginException ex) { ex.printStackTrace(); } }
public byte[] getServiceTicketSSPI(final String serviceName) {
final String securityPackage = "Kerberos"; IWindowsCredentialsHandle clientCredentials = null; WindowsSecurityContextImpl clientContext = null;
final String currentUser = WindowsAccountImpl.getCurrentUsername(); try { clientCredentials = WindowsCredentialsHandleImpl.getCurrent(securityPackage); clientCredentials.initialize(); // initial client security context clientContext = new WindowsSecurityContextImpl(); clientContext.setPrincipalName(currentUser); clientContext.setCredentialsHandle(clientCredentials); clientContext.setSecurityPackage(securityPackage);
final SecBufferDesc continueToken = null; do { clientContext.initialize(clientContext.getHandle(), continueToken, serviceName); } while (clientContext.isContinue()); return clientContext.getToken(); } finally {
if (clientContext != null) { clientContext.dispose(); } if (clientCredentials != null) { clientCredentials.dispose(); } } }}
Jaas { waffle.jaas.WindowsLoginModule sufficient debug=true;};Content of jaas.policy:
grant Principal * * { permission java.security.AllPermission "/*";};Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
gfletscher
Dec 2, 2016, 9:02:19 AM12/2/16
to waffle
Hello,
It's been a while since I have been working on this. Unfortunately though not successful in the end. However, I figured a way to replace the out-of-the-box GSSAPi mechanism within the VM and replace it with my own implementation using SSPI through waffle.
The way to go was to register my own Java Security Provider .which register a new factory for the "GSSAPI" mechanism, essentially overwriting the GSSKrb5Client and all it's associated classes.
I failed in the end to properly wrap and unwrap (encrypt/decrypt) the secrets exchanged between client and server to successfully authorize my user for using the ldap service (again I want to employ the ldap service to do some operation on it, for example, search for something).
Maybe, somebody else may find the attached demo project useful and can build on that. If so, and you find the last missing piece to the puzzle, please let me know. :)
Note: import the demo project into your Eclipse IDE and simple execute the already existing launch configuration. But, make sure to provide required information in the SSPIDemo class file (marked with //TODO). The application let's you choose to use out-of-the box GSSApi Auth or SSPI Auth. Note: when using GSSApi auth, your kerberos.ini must be properly configured.
Have fun!
It's been a while since I have been working on this. Unfortunately though not successful in the end. However, I figured a way to replace the out-of-the-box GSSAPi mechanism within the VM and replace it with my own implementation using SSPI through waffle.
The way to go was to register my own Java Security Provider .which register a new factory for the "GSSAPI" mechanism, essentially overwriting the GSSKrb5Client and all it's associated classes.
I failed in the end to properly wrap and unwrap (encrypt/decrypt) the secrets exchanged between client and server to successfully authorize my user for using the ldap service (again I want to employ the ldap service to do some operation on it, for example, search for something).
Maybe, somebody else may find the attached demo project useful and can build on that. If so, and you find the last missing piece to the puzzle, please let me know. :)
Note: import the demo project into your Eclipse IDE and simple execute the already existing launch configuration. But, make sure to provide required information in the SSPIDemo class file (marked with //TODO). The application let's you choose to use out-of-the box GSSApi Auth or SSPI Auth. Note: when using GSSApi auth, your kerberos.ini must be properly configured.
Have fun!
Message has been deleted
Daniel Doubrovkine
Dec 4, 2016, 10:09:31 AM12/4/16
to waffle...@googlegroups.com
Thanks! It would be really helpful if you could put this on Github as source, and to add an FAQ to Waffle's.
On Fri, Dec 2, 2016 at 9:07 AM, gfletscher <georg.f...@gmail.com> wrote:
Attached SSPIDemo Project, but had to remove Waffle libs due to upload size limits. Please add them yourself.
--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages