0
votes

I would like to use JMeter to run some load testing against our OpenLDAP service authenticating using GSSAPI (i.e., Kerberos). How do I get JMeter to use a keytab with Kerberos credentials to do this? (Note: I tried following the directions here but they did not work for me: https://community.hortonworks.com/articles/141035/jmeter-kerberos-setup-for-hive-load-testing.html)

UPDATE

The command I use to start JMeter is

java.exe -XX:+HeapDumpOnOutOfMemoryError -Xms1g -Xmx1g 
-XX:MaxMetaspaceSize=256m -XX:+UseG1GC -XX:MaxGCPauseMillis=100 -XX:G1ReservePercent=20 -Djava.security.egd=file:/dev/urandom
-Duser.language="en" -Duser.region="EN"
-Djava.security.debug=gssloginconfig,configfile,configparser,logincontext 
-jar "D:\JMeter\bin\ApacheJMeter.jar"  
-Dsun.security.krb5.debug=true 
-Djava.security.krb5.conf="D:\JMeter\bin\krb5.conf"
-Djava.security.auth.login.config="D:\JMeter\bin\jaas.conf"
-Djavax.security.auth.useSubjectCredsOnly=false

The contents of D:\JMeter\bin\jaas.conf:

JMeter {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    useTicketCache=false
    useKeyTab=true
    keyTab="D:\JMeter\bin\ldap.keytab"
    principal="service/[email protected]"
    debug=true;
};

I have a single LDAP Request sampler. For that sampler I entered the LDAP server, port, and search base and filter. I run the test which "succeeds" but no information comes back.

I see no log messages in jmeter.log concerning the success or failure of authentication.

1

1 Answers

0
votes

Unfortunately your didn't work statement tells nothing to us. With regards to the referenced guide - it is fine for HortonWorks Docs, however it might be not applicable for your application setup as Kerberos has many faces, to wit:

  1. Your REALM will be different
  2. Your SPN will be different (it may or may not be present)
  3. Your keytab configuration will be different (again, Kerberos may or may not use keytabs for authentication)
  4. Your KDC will be different
  5. Your keytab generation algorithms may be different

So I would recommend the following:

  1. Reach out to your network administrators / developers / devops / whoever can have the knowledge about your Kerberos setup and collect as much information as you can
  2. Enable debug logging for JMeter HTTP Authorization Manager by adding the next line to log4j2.xml file:

    <Logger name="org.apache.jmeter.protocol.http.control" level="debug" />
    
  3. Enable debug logging for Java Kerberos implementation by adding the next line to system.properties file:

    sun.security.krb5.debug=true
    
  4. Restart JMeter to pick up the changes
  5. Re-run your test and look for underlying error cause in jmeter.log file and in STDOUT
  6. Fix the issue
  7. Repeat step 5 until you're happy with the result

There are hundreds of different reasons, it might be the case your setup is 100% fine, however your login doesn't succeed because you have different time on KDC and your JMeter machine and it needs syncing.