InMemoryDirectoryServer and SASL GSS-API

A Java-based LDAP API

Brought to you by: dirmgr, kennethleo

InMemoryDirectoryServer and SASL GSS-API

Forum: Discussions

Creator: Recos IC

Created: 2015-03-20

Updated: 2015-03-20

Recos IC - 2015-03-20

hi

I use the InMemoryDirectoryServer for some type of proxy server between an ldap client and a web service.
The UnboundID Ldap Sdk saved me a lot of time to get this working and I really appreciate your work.

My problem is that I need to authenticate against a backend web service which uses Kerberos.
The ldap client supports SASL GSS-API.
Therefore I need a way that the InMemoryDirectoryServer can handle the SASL GSS-API authentication and pass it through to the backend web serivce.

So far I have a custom InMemoryRequestHandler to handle bind requests and the search requests.
My guess is that I have to subclass the InMemorySASLBindHandler, like the PLAINBindHandler does, to implement the new behavior.
I'm completly new to the SASL world.

What do you think about my thoughts? Am I going in the right direction?
Or is there already some functionality available to achieve this?

thanks,
Tobias

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Neil Wilson - 2015-03-20

Yes. You will need to subclass InMemorySASLBindHandler if you want to add GSSAPI support to the in-memory directory server. The JVM can do most of the heavy lifting of the Kerberos interaction through the javax.security.sasl.SaslServer class, but it still probably won't be trivial to implement that support. Also, the in-memory server probably doesn't have the necessary framework in place to support the auth-int or auth-conf quality of protection modes if you want to use GSSAPI to encrypt the subsequent communication.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.