How to get LDAP search to use Kerberos ticket to avoid cleartext password

1
votes

I have a Tomcat configuration that uses Kerberos 5 to authenticate the user against AD server and then uses LDAP to obtain roles for authorization against a security-constraint.

server.xml has this:

<Realm className="org.apache.catalina.realm.JAASRealm"
                   appName="vt-ldap"
                   userClassNames="edu.vt.middleware.ldap.jaas.LdapPrincipal"
                   roleClassNames="edu.vt.middleware.ldap.jaas.LdapRole"/>

and the jaas config file has this:

vt-ldap {
   com.sun.security.auth.module.Krb5LoginModule required
     storePass="true"
     debug="true";

   edu.vt.middleware.ldap.jaas.LdapDnAuthorizationModule required
     serviceUser="CN=LIM User,OU=LIMGenericAccounts,DC=lim,DC=com"
     serviceCredential="password"
     useFirstPass="true"
     setLdapPrincipal="true"
     setLdapDnPrincipal="true"
     tls="false"
     subtreeSearch="true"
     logCredentials="true"
     storePass="true"
     ldapUrl="ldap://auswa01.lim.com:389"
     base="ou=LIMUsers,dc=lim,dc=com"
     userField="sAMAccountName";

   edu.vt.middleware.ldap.jaas.LdapRoleAuthorizationModule required
     serviceUser="CN=LIM User,OU=LIMGenericAccounts,DC=lim,DC=com"
     serviceCredential="password"
     useFirstPass="true"
     setLdapPrincipal="true"
     setLdapDnPrincipal="true"
     tls="false"
     subtreeSearch="true"
     logCredentials="true"
     storePass="true"
     ldapUrl="ldap://auswa01.lim.com:389"
     base="ou=LIMGroups,dc=lim,dc=com"
     roleFilter="(member={0})"
     roleAttribute="sAMAccountName";
};

The Kerberos authentication works great. But in the subsequent phases (obtaining the roles from LDAP used for authorization) the serviceCredential (password) is passed on the LAN in clear text.

Is there any way to avoid sending the password in clear text? Perhaps there is a way to access LDAP to obtain roles using the Kerberos ticket instead of the serviceUser/serviceCredential info (?)...

Anyone?

2
tomcatldapkerberosjaas
Passwords should always be sent in clear text to a directory server. If the passwords are not in clear text, then the directory server is not able to perform basic password quality checks as defined by the password policies. Connections to directory servers should always use TLS, at the very least for the BIND operation.Terry Gardner

2 Answers

1
votes

I have check the virgia tech code and it won't do. I have to use or reuse the kerberos ticket are given and authenticate against your directory with it. The virgia tech code seems to support that. I does simple bind which is the worst you can do. If you have kerberos, you don't need SSL at all. You can request kerberos to encrypt the entire communication.

0
votes

That is why you use LDAP over SSL. Then the password is clear inside the LDAP packet, but encrypted before hitting the wire.