Kerberos user management & J2EE question

g.w@hurderos.org g.w at hurderos.org
Wed Nov 24 00:14:36 EST 2004


On Nov 18, 11:43am, Chris wrote:
} Subject: Kerberos user management & J2EE question

> All,

Good evening to Chris and the list.  Hope the week is going well for
everyone.

>   I've done some searching of the group and havn't really found
> anything that relates to my question so here goes.
> 
>   Does anyone know if there is an existing set of Java libraries for
> managing Kerberos users?  I'll outline my problem:

> The issue is that we need the java server application to be able to
> create new Kerberos principals and also change passwords.  Our users
> use a remote adming tool to connect to the server and create new users
> for the client application.  When they do this our server needs to
> create a new kerberos user.
> 
> We can have the server run a command line kadmin command to accomplish
> this but that isn't really how we want to do things since our Kerberos
> machine and server are seperated and there are security concerns with
> this solution.
> 
> So instead we'd like to be able to sort of recreate what kadmin does
> behind the scenes.  We'd also prefer NOT to reinvent the wheel.  So
> far I've had no luck finding information on doing this, all the
> Kerberos protocol information I've found deals with authentication of
> users, not with managing users.
> 
> Could anyone point me in the right direction?

I can't provide the exact solution you are looking for but thought I
would offer a pointer to what our project is doing in case it might be
useful.  At the URL at the end of this mail you will find the home
page for our project to create an Active Directory work-alike.

The mission of our project is to provide a comprehensive user
and services management solution sitting on top of Kerberos and LDAP.
We are making reasonably good progress and with the next release will
have a generally solid solution for managing multi-realm Kerberos
implementations coupled with multi-tree directory systems.

The core of the system is something we call the Identity and Services
Management Engine (ISME) which is a Java based application for
managing user information which is persisted in a relational
database.  Multiple services can be attached (bound) to users which
results in a callout to a Service Provisioning Layer (SPL) which is
responsible for carrying out generic or host based provisioning.

One of the core services is, of course, Kerberos.  Rather than
re-create the wheel the SPL uses C based programs to execute specific
KADM5 commands, such as creating users.  ISME encodes Kerberos
administrative commands in XML and passes them to the SPL for
execution.  ISME in turn is controlled via XML-encoded commands sent
through a Java based GSSAPI protected counduit from a client.

So its not a 'pure' Java Kerberos administrative toolset but it does
provide a flexible infra-structure for managing users.  Your
application would have to encode an appropriate ISME command to create
a Kerberos service for a user and authenticate to ISME but everything
after that is pretty much under the covers.

I thought we would have the next release out this week but that is
going to slip a bit with the holiday.  If you would like I would be
happy to put you on the 'Friends of Hurderos' release list to be
notified on new releases.

> Thanks!
> Chris

Good luck with your project.

}-- End of excerpt from Chris

As always,
GW
------------------------------------------------------------------------------
                         The Hurderos Project
         Open Identity, Service and Authorization Management
                       http://www.hurderos.org


More information about the Kerberos mailing list