tomcat kerberos authentication + ldap authorization

2
votes

We use LDAP to authenticate and authorize users on a tomcat server, but now need to remove the passwords from LDAP and switch over to kerberos authentication.

Now we would like to authenticate the users using kerberos (works already fine) and on success, retrieve the assigned roles for the logged in user from the LDAP DB.

My naive hope would be to use e.g. a simple self made realm and/or WSDLs security-constrain/-roles mechanisms to a) authenticate using the JAAS realm and on success b) pass over to the JNDI realm to retrieve the roles from the LDAP DB for the authenticated user.

I could find many fragments for some of the needed steps (retrieve roles, simple home made realms, …), but no easy to follow example and I'm still not sure if this approach is appropriate at all (especially since I'm pretty new to this topic(s)!).

1
tomcatldapkerberos
What is you Tomcat version? Are you on Active Directory? I have fully written code for that. SpnegoAuthenticator and ActiveDirectoryRealm. I do plan to release that as open source on sf.net. - Michael-O
Michael-O: Tomcat 7.0.26, I'm not using Active Directory but openldap (2.4.28) I guess one might be able to adjust your code to also work with OpenLDAP instead of Active Directory - right? Any help code snippet would be welcome! - user2118833
The SpnegoAuthenticator will be the same but the user serch and group retrieval must be changed. Does your OpenLDAP installation support GSS-API SASL mech? - Michael-O
yes should at least be possible to add on easily! - user2118833
Great, please contact me through SF.net. - Michael-O

1 Answers

0
votes

Just to round up this thread. Found a nice solution named ldaptive (see http://www.ldaptive.org/). Here I can exactly specify and kerberos login module (com.sun.security.auth.module.Krb5LoginModule) and LDAP for authorisation (org.ldaptive.jaas.LdapRoleAuthorizationModule). We are now running with this module since a long time and it simply works flawlessly!