1

Here is my problem: I can't find any document on cross domain authentication with java+kerberos. I have to authenticate against distant LDAP on other realm. How can we do that in java?

Thank you

EDIT:

Here is my krb5.conf:

[libdefaults]

default_realm = REALM1

dns_lookup_realm = false

dns_lookup_kdc = false

forwardable = true

[realms]

REALM1 = {

kdc = kerberos.my.url.domain1:88

admin_server = kerberos.my.url.domain1:749

default_domain = .

}

REALM2 = {

kdc = kerberos.my.url.domain2:88

admin_server = kerberos.my.url.domain2:749

}

[domain_realm]

.my.url.domain1 = REALM1

.my.url.domain2 = REALM2

Cross-realm works in command line when I execute on domain1

ldapsearch -H "ldap:/my.url.domain2"

so I suppose my krb5.conf is good

BigMac
  • 39
  • 6

1 Answers1

2

Authenticating against an LDAP is not the same as authenticating with Kerberos.
Could you give some more backgroung on what it is you need to accomplish. For example:

  • are you writing client code that needs to respond to a Kerberos authentication chalenge?
  • does your code need to validate a user + password against an LDAP?
Opher
  • 525
  • 1
  • 4
  • 11
  • Thank you Opher for your answer. I meant I have to retrieve a ticket from distant KDC, located on REALM2, in order to access to LDAP also located on REALM2. I can authenticate on REALM1 to access to local REALM1 LDAP but don't manage to do cross-domain authentication! – BigMac Feb 08 '11 at 13:39
  • can you post your _keytab_ and _krb5.conf/ini_ files, changing names and IPs as needed :) – Opher Feb 09 '11 at 08:09
  • I edited my post. Currently I use Jaas+Jndi in order to contact local LDAP. If I change the LDAP url to "ldap:/my.url.domain2" it doesn't work. I suppose I have to tell Jaas to use forwarded ticket in order to retrieve cross ticket krbtgt/REALM2@REALM1 and then use it to contact LDAP on domain2. But I don't know how I can do that. Thank you Opher. – BigMac Feb 09 '11 at 16:15