I am working on a Java web application where the application should impersonate the user when interacting with other applications. Since no authorisation is applied to the particular application itself, that this delegation mechanism works properly is paramount. The authentication mechanism used is Kerberos.
I would like to be able to run an embedded KDC with JUnit to verify various authentication aspects. I am trying to use ApacheDS - there were some examples a few years ago on how to do this with LDAP, and I followed the example here to get started. Following the linked example, I can't make step 1 work, when I run this smoke test:
@RunWith(FrameworkRunner.class)
@CreateDS(name = "KerberosTcpITest", partitions = {@CreatePartition(name = "example", suffix = "dc=example,dc=com")}, additionalInterceptors = {KeyDerivationInterceptor.class})
@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP")})
@CreateKdcServer(transports = {@CreateTransport(protocol = "TCP", port = 6086)})
@ApplyLdifFiles("example.ldif")
public class EmbeddedKerberos101 {
@Test
public void test() {
}
}
I get an error trying to locate an LDIF file schema/ou=schema/cn=apachedns/ou=objectclasses/m-oid=1.3.6.1.4.1.18060.0.4.2.3.9.ldif, which looks like my @ApplyLdifFiles annotation is being ignored, and a default is being reverted to.
The stack trace is:
org.apache.directory.api.ldap.schema.extractor.UniqueResourceException: Problem locating LDIF file in schema repository
Multiple copies of resource named 'schema/ou=schema/cn=apachedns/ou=objectclasses/m-oid=1.3.6.1.4.1.18060.0.4.2.3.9.ldif' located on classpath at urls
jar:file:/Users/*/.m2/repository/org/apache/directory/api/api-ldap-schema-data/1.0.0-RC1/api-ldap-schema-data-1.0.0-RC1.jar!/schema/ou%3dschema/cn%3dapachedns/ou%3dobjectclasses/m-oid%3d1.3.6.1.4.1.18060.0.4.2.3.9.ldif
jar:file:/Users/*/.m2/repository/org/apache/directory/server/apacheds-all/2.0.0-M15/apacheds-all-2.0.0-M15.jar!/schema/ou%3dschema/cn%3dapachedns/ou%3dobjectclasses/m-oid%3d1.3.6.1.4.1.18060.0.4.2.3.9.ldif
at org.apache.directory.api.ldap.schema.extractor.impl.DefaultSchemaLdifExtractor.getUniqueResource(DefaultSchemaLdifExtractor.java:358)
at org.apache.directory.api.ldap.schema.extractor.impl.DefaultSchemaLdifExtractor.getUniqueResourceAsStream(DefaultSchemaLdifExtractor.java:335)
at org.apache.directory.api.ldap.schema.extractor.impl.DefaultSchemaLdifExtractor.extractFromClassLoader(DefaultSchemaLdifExtractor.java:373)
at org.apache.directory.api.ldap.schema.extractor.impl.DefaultSchemaLdifExtractor.extractOrCopy(DefaultSchemaLdifExtractor.java:165)
at org.apache.directory.api.ldap.schema.extractor.impl.DefaultSchemaLdifExtractor.extractOrCopy(DefaultSchemaLdifExtractor.java:185)
at org.apache.directory.server.core.factory.DefaultDirectoryServiceFactory.initSchema(DefaultDirectoryServiceFactory.java:172)
at org.apache.directory.server.core.factory.DefaultDirectoryServiceFactory.build(DefaultDirectoryServiceFactory.java:256)
at org.apache.directory.server.core.factory.DefaultDirectoryServiceFactory.init(DefaultDirectoryServiceFactory.java:125)
at org.apache.directory.server.core.factory.DSAnnotationProcessor.createDS(DSAnnotationProcessor.java:96)
at org.apache.directory.server.core.factory.DSAnnotationProcessor.getDirectoryService(DSAnnotationProcessor.java:328)
at org.apache.directory.server.core.integ.FrameworkRunner.run(FrameworkRunner.java:109)
In my test resources I have krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = localhost:6088
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[login]
krb4_convert = true
krb4_get_tickets = false
and example.ldif
dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example
dn: ou=users,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: users
Is there a reason why the smoke test doesn't start up? Is there a plug-and-play alternative to get a mock KDC up and running in my authentication focussed unit/local integration tests? How are other developers testing their credential delegation mechanisms are working?
