Do I need keytab for Authentication?
kaffekamelen
johngjesse at hotmail.com
Wed Apr 8 09:38:33 EDT 2009
Hi all,
I have some problems by getting through to LDAP using jaas/kerberos/GSSAPI.
Kerberos login is successful, but when I try to create an InitialDirContext,
an "AuthenticationNotSupportedException: GSSAPI" is thrown. Funny thing is
that it only occurs when running a websphere+Microsoft AD setup (with ibm's
Krb5LoginModule) - when I use jboss with sun's Krb5LoginModule everything
works!
So, there must be an issue regarding the difference in setup. Do any of you
know about known IBM problems in supporting kerberos and GSSAPI?
I am aware that ibm's Krb5LoginModule may be more restrictive than sun's. If
so, my implementation may be insufficient. Actually, I am running without
keytab file, and I'm wondering if that's a problem.
My implementation consist of a single java ear file deployed on websphere
app server:
1. The only Websphere configuration is that I have added a "MyLoginModule"
entry to wsjaas.properties (MyLoginModule entry points out
com.ibm.security.auth.module.Krb5LoginModule). Don't really know why it
should be wsjaas.properties - I don't have any webservice involved... Is
there a point here?
2. My application accepts username and password i a user dialog.
3. My application sets System properties:
java.security.krb5.conf=<myInstDir>/admin/var/jaas/krb5.conf and
java.security.auth.login.config=<myInstDir>/admin/var/jaas/step-jaas.conf
4. My application creates a LoginContext 8new LoginContext("MyLoginModule",
MyCallbackhandler) - The CallbackHandler provides username and password to
the LoginModule on request. This is why I don't think I need a keytab file
copied to the websphere server...
5. Start a thread using Subject.doAs(loginContext.getSubject(),
myWorkerThread)
6. The worker thread sets environment
LDAP_INITIAL_CONTEXT_FACTORY=com.sun.jndi.ldap.LdapCtxFactory,
LDAP_SERVER_URL=ldap://my.ldap.host:389, AUTH_MECHANISMS=GSSAPI.
7. The worker thread creates new InitialDirContext(env) - and this is where
the "AuthenticationNotSupportedException: GSSAPI" is thrown.
Again - there is no AuthenticationNotSupportedException when using
jboss+sun's Krb5LoginModule, so it seems that I CAN do without a keytab
file. Anyway, the problem here is that websphere is my main target
appserver!!
I hope some of you can give me some advice, because I'm totally stuck in
this case.
--
View this message in context: http://www.nabble.com/Do-I-need-keytab-for-Authentication--tp22950643p22950643.html
Sent from the Kerberos - Dev mailing list archive at Nabble.com.
More information about the krbdev
mailing list