So I managed to do the authentication with SPNEGO successfully, and get the principal name using the TGT from the KDC. But I'm stuck on how to update the attributes for that user in LDAP by just using the TGT token, DN (distinguished name) and principal name?
I'm looking at example similar to the following:
private static void performJndiOperation(String[] args) {
// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
// Must use fully qualified hostname
env.put(Context.PROVIDER_URL, "ldap://ldap.jnditutorial.org:389/o=JndiTutorial");
// Request the use of the "GSSAPI" SASL mechanism
// Authenticate by using already established Kerberos credentials
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
try {
/* Create initial context */
DirContext ctx = new InitialDirContext(env);
// do something useful with ctx
...
// Close the context when we're done
ctx.close();
} catch (NamingException e) {
e.printStackTrace();
}
}
But I get an exception of invalid credentials:
javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Invalid option setting in ticket request.)]]
Please do you have an idea what I'm doing wrong? Thanks very much for your help
-Dsun.security.krb5.debug=trueplus-Dsun.security.spnego.debug=trueplus my personal favorite-Djava.security.debug=gssloginconfig,configfile,configparser,logincontext- Samson Scharfrichter