Controlling the KDC connection creation in GSSAPI Bind similar to the...

A Java-based LDAP API

Brought to you by: dirmgr, kennethleo

Controlling the KDC connection creation in GSSAPI Bind similar to the socketFactory that can be used to control the ldap bind

Forum: Discussions

Creator: Eran ghosalker

Created: 2017-01-17

Updated: 2017-01-17

Eran ghosalker - 2017-01-17

Hi All

I am using GSSAPI bind to connect to ActiveDirectory and it is working great.
However, recently as the result of firewall policy that was change, I need to force the source IP to specifc one.
When I tried the regular ldap bind and supplied it a custom socket factory, I was able to work it out.
Howver when I tried it with the GSSAPI bind, the ldap communication was using the source IP I wanted, however there are udp connections to the KDC server and they are open as the operating system.
More than that I saw that there is also failed name resolution attempt which was not needed.

Is it possible to control somehow the udp connections to the KDC server?
Is it possible to disable the DNS resoution somehow?

Thanks in advance
Eran

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Neil Wilson - 2017-01-17

Unfortunately, the communication with the KDC is all handled behind the scenes by the JVM and not something done directly by the LDAP SDK code, and I'm not aware of anything that the JVM offers (like special configuration properties) that allow you to override the source address for that communication.

Your best bet is to probably try to control this at the operating system level on the client systems. Your best bet is to add a specific routing table entry for all servers that need a specific source address, although you may also be able to accomplish this with firewall rules on the client system.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.