0

Is there a possible way to create LdapContext using keytab file instead of directly providing credentials? So let's assume that I currently have such piece of code

Hashtable<String,String> env=new Hashtable<String,String>();
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL,LDAP_PROVIDER_URL);
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,LDAP_PRINCIPAL);
env.put(Context.SECURITY_CREDENTIALS,LDAP_CREDENTIALS);
LdapContext ctx = new InitialLdapContext(env,null);

So as you can see I specify username and password manually. So what's the proper way to specify keytab file instead?

Michael-O
  • 18,123
  • 6
  • 55
  • 121
Alexey
  • 2,388
  • 1
  • 16
  • 32

2 Answers2

2

Yes, you can and this works very well. Have a look at my DirContextSource library it will do all the hard work for you:

DirContextSource.Builder builder = new DirContextSource.Builder("ldap://hostname");
builder.gssApiAuth("MyAlternativeEntryName");
DirContextSource contextSource = builder.build();
// try and catch block omitted for the sake of brevity,
// handle NamingException appropriately
DirContext context = contextSource.getDirContext();
// Perform operations
context.close();

Make sure that you have a login.conf configured with the entry MyAlternativeEntryName which looks like:

MyAlternativeEntryName {
        com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true
        principal="myprincipal@EXAMPLE.COM"
        useKeyTab=true keyTab="/path/to/krb5.keytab" storeKey=true;
};
Michael-O
  • 18,123
  • 6
  • 55
  • 121
  • Thanks, I already went for this kind of approach and it also worked without manually creating GSSCredential inside subject, but good to know the advanced way – Alexey Jan 31 '18 at 10:24
  • @T-Heron Thanks, my workload was/is so horrible that most of my side activities came really short. – Michael-O Jan 31 '18 at 14:26
1

In short, not possible to do this - authorization is done by LDAP while keytab handles authentication. One can only create an LdapContext using LDAP-based methods. Keytabs and their invocation as a method and context fall under the Kerberos protocol which is a different protocol. While both are commonly used together on the major directory service systems on the market today (such as Active Directory, OpenLDAP, Red Hat IDM) you can't overlap in terms of having LdapContext using a keytab. Keytabs are commonly used in authentication methods, while authorization methods more typically falls under LDAP (groups or attributes). If you want to use a keytab file for Java-based authentication take a look at this: Creating a keytab for java clients

John R Smith
  • 848
  • 7
  • 18