Using Kerberos 5 keytab to authenticate LDAP resolver with 3.2.1
Simon Lundström
simlu at su.se
Tue Feb 16 08:18:43 EST 2016
On Thu, 2016-02-04 at 14:39:01 +0000, Robert Bradley wrote:
> On 03/02/16 12:49, King, David wrote:
> >
> > Has anyone used GSSAPI with a Kerberos keytab to authenticate the
> > LDAP resolver with 3.x? If so, how did you configure it? Is there
> > any resource that I missed on how to configure/debug this?
> >
> > Thanks in advance for the help, David
> >
>
> We (Oxford) are doing this in a similar way to Simon Lundström's post.
> One major difference though is that our setup uses the
> sun.security.jgss.native property to force the use of native Kerberos
> libraries. I have found in the past that this makes life a lot
> simpler! This also simplifies the configuration in jaas.conf
> considerably, at the expense of having to set up the KRB5CCNAME
> environment variable in the scripts that start Tomcat.
>
> Our Java parameters for this look like:
>
> -Djavax.security.auth.useSubjectCredsOnly=false
> -Dsun.security.jgss.native=true
> -Djava.security.auth.login.config=${CONF_PATH}/jaas.conf
Thanks again for this Robert! So much nicer to use native Kerberos
support, e.g the JVM doesn't do an AS-REQ for the service user everytime
it needs to verify a users password.
Sadly, it seems like using JGSS native breaks SPNEGO:
2016-02-09 14:23:42,575 - WARN [net.shibboleth.idp.authn.impl.ValidateExternalAuthentication:94] - Profile Action ValidateExternalAuthentication: External authentication produced exception
net.shibboleth.idp.authn.ExternalAuthenticationException: SPNEGONotAvailable
at net.shibboleth.idp.authn.spnego.impl.SPNEGOAuthnController.continueSPNEGO(SPNEGOAuthnController.java:167)
Caused by: sun.security.jgss.GSSExceptionImpl: Provider SunNativeGSS does not support mechanism 1.3.6.1.5.5.2
at sun.security.jgss.ProviderList.getMechFactory(ProviderList.java:253)
Are you using GSSAPI with JGSS native Robert? Is that working?
BR,
- Simon
More information about the users
mailing list