掌握整个流程时遇到一些问题。 我正在尝试完成所有强大的kerberos SSO集成,其中auth用户信息直接从Windows中选取。
我正在使用:
我对整个流程的理解是,在这样的高层次上:
我正在尝试使用apacheds 2来搜索LDAP部分。
问题(1):我的理解是否正确?这通常是以不同的方式完成的吗? (也许使用spnego直接获取我需要的所有信息?)
现在,我正在尝试使用apacheds在后端登录LDAP,通过kerberos登录,以便检索用户信息,如下所示:
System.setProperty("sun.security.krb5.debug", "true");
LdapConnectionConfig config = new LdapConnectionConfig();
config.setLdapHost("example.com");
config.setLdapPort(389);
config.setName("a_valid_username");
config.setCredentials("the_correct_password");
LdapNetworkConnection ldapNetworkConnection = new LdapNetworkConnection(config);
SaslGssApiRequest saslGssApiRequest = new SaslGssApiRequest();
saslGssApiRequest.setRealmName("EXAMPLE.COM");
saslGssApiRequest.setKdcHost("example.com");
System.setProperty("java.security.auth.login.config", "C:\\workspace\\kerberos_stuff\\login.conf");
saslGssApiRequest.setLoginModuleConfiguration( Configuration.getConfiguration() );
saslGssApiRequest.setLoginContextName("spnego-client");
saslGssApiRequest.setKrb5ConfFilePath("C:\\workspace\\kerberos_stuff\\krb5.ini");
saslGssApiRequest.setMutualAuthentication(false);
saslGssApiRequest.setUsername("a_valid_username");
saslGssApiRequest.setCredentials("the_correct_password");
ldapNetworkConnection.connect();
ldapNetworkConnection.bind(saslGssApiRequest);
我收到此错误:
KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3812)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:178)
at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1531)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1527)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1429)
<edited out>
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
... 22 more
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3812)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:178)
at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1531)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1527)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1429)
<edited out>
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
... 14 more
Caused by: KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
... 17 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
... 22 more
org.apache.directory.api.ldap.model.exception.LdapException: java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1537)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1429)
<edited out>
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1527)
... 8 more
Caused by: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3902)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:178)
at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1531)
... 11 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3812)
... 13 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
... 14 more
Caused by: KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
... 17 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
... 22 more
我的问题是:
Q2:我认为ldap + kerberos是一个非常常用的组合;我也认为apacheds是一个常用的库(如果没有,你会用什么人?)。但是,尽可能尝试,我实际上并没有通过apached找到Kerberos的任何示例代码来访问ldap。我通过apacheds找到了大量有关ldap客户端的信息,但没有使用kerberos身份验证。这通常表明我做错了什么,或者我抓住了这个错误的一端(向错误的方向走)。这有什么想法吗?
问题3:SaslGssApiRequest似乎是LdapNetworkConnection用于通过kerberos访问ldap的确切方式(就我所说的apached而言)。但是,在Google上仅对此类名称进行快速搜索会显示零有用信息(例如有关如何使用它的文档)。是否有另一种更简单的方法来实现我的目标,通过使用apacheds(我意味着客户端)但没有SaslGssApiRequest?
问题4:为什么我的上述代码无效?请注意,如果我更改用户或传递给无效的东西(我目前正在使用我的常规XP用户用户/传递登录到ldap),我会得到完全相同的错误。是否需要在ldap的服务主体名称中指定某个地方(即使我已经指定了主机/端口)?如果是这样,在哪里?
P.S。我的login.conf和krb5.ini文件与我在已经运行的spnego示例中使用的文件完全相同,因此它们应该是正确的。
答案 0 :(得分:0)
如果有人有兴趣,我发现了问题。
似乎apacheds在使用SaslGssApiRequest时,它使用config.setLdapHost(“example.com”)中的主机名构建服务的主体名称;
虽然在我的设置中,ldap.example.com和example.com指向同一台计算机,但我的LDAP服务主体名称是LDAP / ldap.example.com,但是apached会尝试查找LDAP / example.com。
更改
config.setLdapHost( “example.com”);
到
config.setLdapHost( “ldap.example.com”);
解决了我的问题。