Using Kerberos 5 keytab to authenticate LDAP resolver with 3.2.1
Robert Bradley
robert.bradley at it.ox.ac.uk
Thu Feb 4 09:39:01 EST 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 03/02/16 12:49, King, David wrote:
>
> Has anyone used GSSAPI with a Kerberos keytab to authenticate the
> LDAP resolver with 3.x? If so, how did you configure it? Is there
> any resource that I missed on how to configure/debug this?
>
> Thanks in advance for the help, David
>
We (Oxford) are doing this in a similar way to Simon Lundström's post.
One major difference though is that our setup uses the
sun.security.jgss.native property to force the use of native Kerberos
libraries. I have found in the past that this makes life a lot
simpler! This also simplifies the configuration in jaas.conf
considerably, at the expense of having to set up the KRB5CCNAME
environment variable in the scripts that start Tomcat.
Our Java parameters for this look like:
- -Djavax.security.auth.useSubjectCredsOnly=false
- -Dsun.security.jgss.native=true
- -Djava.security.auth.login.config=${CONF_PATH}/jaas.conf
and jaas.conf is:
- -- jaas.conf ---
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
useSubjectCredsOnly=false;
};
pgjdbc {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
useSubjectCredsOnly=false;
};
ldaptive {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
useSubjectCredsOnly=false;
}
- ------
The pgjdbc block is there so that we can use GSSAPI authentication to
Postgres, although this is unneeded at the moment.
- --
Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWs2KFAAoJEJRhp8p2r+O+gSoQAIcSC9t4YXsMPN3URXZgkq9j
PmbwEDOkoa0+HaarWkwVUX98f/YXAN2DquEb3BDxd75Wpy8J0NmZTyuVrMpA5Pac
X+NOpvl+NWR8bdAJ0r0b3Psp2CC2uyk19JuB4cWRD940lL9UOLeZOoCkcOlbdL3R
opst/wvnM5hNuOUbh6K3tNVcbXuzZaP8BzTmD3ObnNvJ7E2AI/tqSww6J4jucQcB
PlD02eifGli9n9YdKQ3MjsBqMlt6BaYC2LBQwFwgKh6zrA8aT9Qp+e5t71b2sbwH
1E4TCgd1oUq9EsQ/00KQemojrJxoLOmGYDmGFb9cjlOgXdnEAYZ8PbQkocg9s4zh
ZHA8fFBCKUo2F85Np4hkYw/QLLbdVc6HMg8hltimT/saWIqMTpj3LRWiKUlLI/G9
bVab+X5BDbNzoQ36eJNDqGDL7OvbhiIyByD661B7/TZauHfzN9jKh8X4iAwHi09E
o52Tx6f4tcUBi2ZJRCm0fsLqX9jZKWaQAusNNbeRWXRsUJA7yN4g7E/2vZjbHj5M
9KZEcitky4+Amv6K22bIjFQxAW9Cht6aeOfMyIzN2ogDlGoIfYa119yi+A09BnmO
zt8WfzMFjGW+fpN0MmM8LAAEight/2a8RRCTKDDtN5KOIPhMnHXDDz8gyhLzU91b
rEg3AhKVqINOgyAxH+yj
=yfeb
-----END PGP SIGNATURE-----
More information about the users
mailing list