Hello,
Could you, please, give more details about setUseSubjectCredentialsOnly method of GSSAPIBindRequestProperties class?
I can’t understand functionality from the description:
// Specifies whether to allow the client to use credentials that are outside the current subject.
// If this is false, then a system-specific mechanism may be used in an attempt to obtain credentials from an existing session.
What means current subject?
Is it about cross realm Authentication?
When it should be set to “false”?
And another question. I try to use keytab file and call setUseKeyTab(true) method of GSSAPIBindRequestProperties class. I DON’T call setKeyTabPath(“path”) method.
But I see the error: “Key for the principal user@EXAMPLE.COM not available in default key tab”
What should be the name of “default key tab” in Windows and Linux/Unix?
Where default keytab file should be located in Windows and Linux/Unix?
Thanks in advance,
Sergey
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The "subject" is the identity this is performing the authentication, and this property indicates whether the underlying Kerberos implementation can look for the user's credentials in some proprietary location. The behavior is specific to the Kerberos implementation on the underlying system. I'd recommend looking at the documentation for whatever Kerberos implementation you're using to see if it provides any additional information.
The location of the default key tab is also something that is specific to the underlying Kerberos implementation. For example, for fthe MIT Kerberos implementation, the determination of the default client keytab is documented at the bottom of http://web.mit.edu/kerberos/krb5-1.12/doc/basic/keytab_def.html.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The LDAP SDK doesn’t have any specific support for cross-realm authentication, and it’s not something that I am specifically familiar with.
It does appear that Java supports it, at least to some degree, because the OpenJDK issue tracking system has a record of a bugfix related to it (https://bugs.openjdk.java.net/browse/JDK-7061379).
The basic research that I’ve done suggests that you might need separate JAAS configurations for each realm, and if that’s the case, then you might need to try the bind a couple of times (once for each realm) so that you end up getting all of the tickets necessary to accomplish this.
Unfortunately, I probably can’t be any more helpful than that.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello,
Could you, please, give more details about setUseSubjectCredentialsOnly method of GSSAPIBindRequestProperties class?
I can’t understand functionality from the description:
// Specifies whether to allow the client to use credentials that are outside the current subject.
// If this is false, then a system-specific mechanism may be used in an attempt to obtain credentials from an existing session.
What means current subject?
Is it about cross realm Authentication?
When it should be set to “false”?
And another question. I try to use keytab file and call setUseKeyTab(true) method of GSSAPIBindRequestProperties class. I DON’T call setKeyTabPath(“path”) method.
But I see the error: “Key for the principal user@EXAMPLE.COM not available in default key tab”
What should be the name of “default key tab” in Windows and Linux/Unix?
Where default keytab file should be located in Windows and Linux/Unix?
Thanks in advance,
Sergey
The setUseSubjectCredentialsOnly method controls the behavior of the javax.security.auth.useSubjectCredsOnly system property. This property is documented at http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/BasicClientServer.html#useSub
The "subject" is the identity this is performing the authentication, and this property indicates whether the underlying Kerberos implementation can look for the user's credentials in some proprietary location. The behavior is specific to the Kerberos implementation on the underlying system. I'd recommend looking at the documentation for whatever Kerberos implementation you're using to see if it provides any additional information.
The location of the default key tab is also something that is specific to the underlying Kerberos implementation. For example, for fthe MIT Kerberos implementation, the determination of the default client keytab is documented at the bottom of http://web.mit.edu/kerberos/krb5-1.12/doc/basic/keytab_def.html.
Hello Neil,
This answered my quesions.
Thanks a lot,
Sergey
can I achieve cross realm authentication using GSSAPI bind in UnboundID SDK?
The LDAP SDK doesn’t have any specific support for cross-realm authentication, and it’s not something that I am specifically familiar with.
It does appear that Java supports it, at least to some degree, because the OpenJDK issue tracking system has a record of a bugfix related to it (https://bugs.openjdk.java.net/browse/JDK-7061379).
The basic research that I’ve done suggests that you might need separate JAAS configurations for each realm, and if that’s the case, then you might need to try the bind a couple of times (once for each realm) so that you end up getting all of the tickets necessary to accomplish this.
Unfortunately, I probably can’t be any more helpful than that.
Thank you Neil for the information.