Announcement Announcement Module
Collapse
No announcement yet.
Kerberos authentication Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Kerberos authentication

    Hi, Im starting a new application that reads Active directory contents and save them into the database, to access the Active Directory I have to use Kerberos authentication, is it possible to setup Kerberos in LdapTemplate or LdapContextSource?

    Thank you

  • #2
    Unfortunately, I can't tell you how to hook in Kerberos to Spring LDAP. You might want to look into using Spring Security (Acegi), and possibly use its JAAS authentication provider with a Kerberos Login Module, as they discuss in this thread.

    Comment


    • #3
      You might be able to do it in a custom implementation of AbstractContextSource#setupAuthenticatedEnvironmen t()

      Comment


      • #4
        Was anyone able to achieve Kerberos authentication for a Ldap server connection?

        Comment


        • #5
          There is improved support for custom authentication mechanisms in the 1.3.0 version of Spring LDAP. We have no explicit support for Kerberos, but it should be possible to implement using a custom DirContextAuthenticationStrategy and supplying that to your ContextSource.

          Comment


          • #6
            I am not sure I understand how I can accomplish this. In my case I already have a javax.security.auth.kerberos.KerberosTicket object. I need to use this ticket (it was forwarded to my application) to authenticate to the ldap server. I am currently using LdapAuthenticationProvider with BindAuthenticator to bind a user/pass in the ldap server. But in the case where a username and password is not supplied I want to use the KerberosTicket credentials to bind the principal and then lookup some attributes. I am obviously missing something because the BindAuthenticator wants a username and password provided and I cant get that information out of the KerberosTicket all I can get is the principal. How can I bind to Ldap with nothing more then a KerberosTicket object?

            Comment


            • #7
              I think I need to use Subject.doAs() but I am not sure what to do in the PrivilegedAction. I am also not sure if I want to run my PrivilegedAction in the setupEnvironment or processContextAfterCreation if I am using the DirContextAuthenticationStrategy. My goal is to lookup the user attributes and roles for the principle in my KerberosTicket.

              Comment


              • #8
                Right, as I indicated before I'm not very familiar with Kerberos. Looking quickly at the documentation it seems that it would suffice to implement DirContextAuthenticationStrategy#setupEnvironment and setup the appropriate environment settings there. You would then execute the call to e.g. LdapTemplate#search inside your PrivilegedAction implementation; that in turn will trigger a DirContext creation using your DirContextAuthenticationStrategy in the same thread of execution so everything should work out fine. Hope this works out for you, I'd be very interested to know the result.

                Comment


                • #9
                  I will most definately keep you informed, thank you for all help on this. I think its starting to make sense to me, I was trying to do all my kerberos stuff in this one class DirContextAuthenticationStrategy but i need to do my PrivilegedAction elseware in my code ( the LdapTemplate#search ) and just let this DirContextAuthenticationStrategy do my setup like setting my realm and kdc. I was hoping there was a magic way to keep using BindAuthenticator but I will need to write my own Authenticator that uses a PrivilegedAction to do my search like mentioned above. Thanks again for the information.

                  Comment


                  • #10
                    kerberos/AD

                    Hi Guys,
                    I have a very similar requirement ,but cannot migrate to Spring 3.0 ( to use the spring-security-extension for kerberos.
                    Has anybody managed to set this up (authenticate to AD using kerberos with the user name /password provided and fetched group info for the user)?

                    Thanks in advance.

                    Comment

                    Working...
                    X