1

I'm trying to connect to ldap server using SASL. I'm connecting using url ldaps://ldap.example.com but server hostname is host.example.com. ldap.example.com is cname for host.example.com. My program is trying to get service ticket for ldap/ldap.example.com instead of performing reverse dns request and getting ticket for ldap/host.example.com. Everything works fine when I'm using ldap://host.example.com but I prefer to use service CNAME.

There is my code for creating connection factory:

public DefaultConnectionFactory connectionFactory(){
    return new DefaultConnectionFactory(connectionConfig());
}

private ConnectionConfig connectionConfig(){
    final SaslConfig saslConfig = new SaslConfig();
    saslConfig.setMechanism(Mechanism.GSSAPI);

    final BindConnectionInitializer connectionInitializer = new BindConnectionInitializer();
    connectionInitializer.setBindSaslConfig(saslConfig);

    ConnectionConfig connConfig = new ConnectionConfig("ldaps://ldap.example.com");
    connConfig.setConnectionInitializer(connectionInitializer);
    return connConfig;
}

and jaas.config:

com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    keyTab="/etc/ldap.keytab"
    principal="ldap@EXAMPLE.COM"
    storeKey=true
    useKeyTab=true
    debug=true
    ;
};

Is there any way to change this behavior?

maxmati
  • 63
  • 1
  • 7

1 Answers1

1

You should request a new certificate with ldap.example.com as the subject name and with host.example.com as a subject alternative name. The certificate negotiation is handled right before Kerberos.

A couple more suggestions:

  1. All SPNs should be defined in your KDC:

LDAP/ldap.example.com

LDAP/host.example.com

  1. Both of these A records should be set in DNS. Avoid use of CNAMES, while it might be OK at any given time, different browser versions and future updates could cause inconsistent behavior:

ldap.example.com

host.example.com

  1. The principal in jaas.config and the keytab should match. You have:

principal="ldap@EXAMPLE.COM"

I suggest it should be: principal=“ldap/host.example.com“;

  1. Finally, ldap/host.example.com should be defined as the SPN in your keytab. If it is not, it might be OK, as long as you either (1) add it as an additional SPN related in the keytab: How do you add multiple SPNs to the same keytab file for Spnego or Kerberos Configuration? or (2) see Setspn if you are using Active Directory and you application server supports it.

See further reading on GSSAPI.

T-Heron
  • 5,385
  • 7
  • 26
  • 52
  • Thanks for your answer but i'm not sure if you understood me correctly. `ldap.example.com` is cname for `host.example.com` (according to your answer i shouldn't and i think that is the case) and `ldap@EXAMPLE.COM` is my client principal that have permissions in ldap. What more everything works fine i'm using `ldap://host.example.com` but I have only ldap.example.com set in my tls certificate. – maxmati Feb 18 '17 at 23:42
  • I updated my answer with a statement about the certificate angle to this, as I see you made a couple edits to your question. That should resolve this. I would take into consideration the rest of my post regarding SPNs as a "Best Practice". – T-Heron Feb 19 '17 at 00:00