0

So I managed to do the authentication with SPNEGO successfully, and get the principal name using the TGT from the KDC. But I'm stuck on how to update the attributes for that user in LDAP by just using the TGT token, DN (distinguished name) and principal name?

I'm looking at example similar to the following:

private static void performJndiOperation(String[] args) {

// Set up environment for creating initial context
Hashtable env = new Hashtable(11);

env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");

// Must use fully qualified hostname
env.put(Context.PROVIDER_URL, "ldap://ldap.jnditutorial.org:389/o=JndiTutorial");

// Request the use of the "GSSAPI" SASL mechanism
// Authenticate by using already established Kerberos credentials
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");

try {
    /* Create initial context */
    DirContext ctx = new InitialDirContext(env);

    // do something useful with ctx
    ...

    // Close the context when we're done
    ctx.close();
} catch (NamingException e) {
    e.printStackTrace();
}
}

But I get an exception of invalid credentials:

javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Invalid option setting in ticket request.)]]

Please do you have an idea what I'm doing wrong? Thanks very much for your help

lou
  • 1
  • 3
  • Have you done any research about that error message, such as checking http://stackoverflow.com/questions/16010484/javax-naming-authenticationexception-in-gssapi ? – Samson Scharfrichter Feb 16 '16 at 09:20
  • A couple of debug flags to try (courtesy of https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/secrets.html) => `-Dsun.security.krb5.debug=true` plus `-Dsun.security.spnego.debug=true` plus my personal favorite `-Djava.security.debug=gssloginconfig,configfile,configparser,logincontext` – Samson Scharfrichter Feb 16 '16 at 09:24
  • Yes I did a lot of research and I had all those flags. I found the problem, it was in the active directory, because the user didn't have permissions to change attributes. I don't know why it was giving an Authentication Error not a permission error. But thanks anyway for answering :) – lou Feb 17 '16 at 21:38

1 Answers1

0

Check your krb5.conf for renewable and proxiable and play with the options. It should actually resolve your issue.

Michael-O
  • 18,123
  • 6
  • 55
  • 121