Java-Spring-LDAP-Kerberos

Question

I need some help delegating user authentication in my spring-based application to Active Directory that seems to be delegating this responsibility to Kerberos - I can't seem to figure out how to do this. Here is more of what the mess really looks like:

I followed Spring guide on configuring Spring Security to work with an LDAP server. It went fine.

I got host, port of my actual LDAP server. I configure Spring Security to talk to it, it won't allow me to authenticate.

OK, I download jxplorer and connect to my LDAP server with it successfully. If jxplorer can connect to LDAP only knowing HOST, PORT, USERNAME, and PASSWORD, I figure my application should be able to do the same.

Weirdly, my LDAP does not show an OU=people. My people are scattered deeper in the tree among various OUs, an OU per department kind of way - but, most people are found equally deep inside the tree.

Also WEIRDLY, my actual people nodes that uniquely identify a person have no userPassword attribute.

For experimentation, I configure Spring Security in such a way that it tries to authenticate an individual by looking in the OU that represents my department and tell it to use as password mailNickname (using PlaintTextPasswordEncoder()) and it works fine - only on port 3268, not on 389.

At this point I start speculating - LDAP, is telling my spring-based app that it needs to talk to Kerberos, and I did not tell it how to do that, so that explains why my app fails to authenticate. BUT, no one told jxplorer that Kerberos will authenticate it and yet it managed to get a view of the LDAP tree. Clearly, my spring-app's assumptions != jxplorer's assumptions. I give them the exact same info yet one manages to authenticate the other not. Anyone any idea?

EDIT: ok, so, I still do not have this solved, but my error has changed and that is a mark of progress, I suppose.

I configured spring according to this: link

Now, when I try to log in, if I give a wrong password or username, I get the complaint that clearly indicates that password is given wrong. However, if I give the correct password, the complaint differs.

The end of stack trace includes: Caused by: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)

But, the debug also indicates that the user is found in kerberos database because it says: "principal is username@correct_realm" and "Added server's keyKerberos Principal correct_user@correct_realm" and does some hex dump.

Because of that, I am sure that my keytab is not doing its job. I am certain that my key tab is found by Spring because it says: KeyTab is my_keytab_file (otherwise it'd say: KeyTab is null).

thatrockbottomprogrammer thatrockbottomprogrammer · Accepted Answer · 2017-10-19T05:48:15

If it is configured with Kerberos, you can try SPNEGO. It's one of the best libraries around for Kerberos in Java.

READ: http://spnego.sourceforge.net/

Sample code for Kerberos Auth:

Example usage (username/password):

public static void main(final String[] args) throws Exception {
     System.setProperty("java.security.krb5.conf", "krb5.conf");
     System.setProperty("sun.security.krb5.debug", "true");
     System.setProperty("java.security.auth.login.config", "login.conf");

     SpnegoHttpURLConnection spnego = null;

     try {
         spnego = new SpnegoHttpURLConnection("spnego-client", "dfelix", "myp@s5");
         spnego.connect(new URL("http://medusa:8080/index.jsp"));

         System.out.println(spnego.getResponseCode());

     } finally {
         if (null != spnego) {
             spnego.disconnect();
         }
     }
 }

Java-Spring-LDAP-Kerberos

1 Answers