1. 技术文章
  2. How do I get JNDIRealm in Tomcat to use Kerberos auth?

How do I get JNDIRealm in Tomcat to use Kerberos auth?

感情迁移 提交于 2019-12-13 20:06:29

问题


I am trying to run a tomcat JNDIRealm using using Kerberos for authentication (authentication="GSSAPI").

However, I'm getting this:

SEVERE: Catalina.start:
LifecycleException:  Exception opening directory server connection:  
javax.naming.AuthenticationException: GSSAPI 
[Root exception is javax.security.sasl.SaslException: GSS initiate failed 
 [Caused by GSSException: No valid credentials provided 
 (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
]]

I have this in server.xml:

 <Realm className="org.apache.catalina.realm.JNDIRealm"
                        authentication="GSSAPI"
                        connectionName="CN=XXX User,OU=XXXGenericAccounts,\
                                                   DC=xxx,DC=com"
                        connectionPassword="blah"
                        connectionURL="ldap://blah.xxx.com:389"
                        alternateURL="ldap://blah.xxx.com:389"
                        roleBase="OU=XXXGroups,DC=xxx,DC=com"
                        roleName="cn"
                        roleSearch="member={0}"
                        roleSubtree="true"
                        userBase="OU=XXXUsers,DC=xxx,DC=com"
                        userSearch="sAMAccountName={0}"
                        userSubtree="true"/>

any idea what I am missing here?


回答1:


The error indicates Kerberos is not setup correctly.

You need to set following JVM parameters either by using -D or System.setProperty(),

java.security.krb5.realm : Default realm, like EXAMPLE.COM
java.security.krb5.kdc : KDC hostname, like ad.example.com



回答2:


jorel:

In addition to the initial issue of defining the realm/KDC, the NamingException you're getting is described on in the error message---your LDAP server "blah.xxx.com" doesn't allow anonymous binds, and tomcat is trying to run a search without binding.

If you want LDAP to be searched using the user's credentials, then the problem is that it isn't forwarding the credentials along to LDAP. I'm not yet familiar with how this stuff works inside Java, but there's a couple possible causes:

  1. Tomcat isn't requesting a ticket which can be forwarded/delegated.
  2. The client isn't providing such a ticket. See: http://publib.boulder.ibm.com/infocenter/ltscnnct/v2r0/index.jsp?topic=/com.ibm.connections.25.help/t_install_kerb_edit_browsers.html for the relevant browser config.
  3. Tomcat isn't trying to do a SASL bind to the LDAP server using the properly requested/given ticket.

If you're trying to search using the connectionName DN as a bindDN, then check for failures on the LDAP server---i.e. "Invalid credentials" (user/pass incorrect) or ACL issues.




回答3:


You will need to pass via system properties:

  • path to the krb5.conf/ini
  • path to a login.conf with has the default Sun name with a Krb5Module configured how to obtain credentials.


来源:https://stackoverflow.com/questions/1422012/how-do-i-get-jndirealm-in-tomcat-to-use-kerberos-auth

标签
Tomcat
ldap
kerberos
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!