I'm using GSSAPI in Java in order to login to an LDAP server using Kerberos authentication. I'm a newbie to Kerberos, so I'm sorry if this is an obvious question, but I couldn't find anything clear enough on the internet.
我在Java中使用GSSAPI以使用Kerberos身份验证登录LDAP服务器。我是Kerberos的新手,所以如果这是一个明显的问题我很抱歉,但我在互联网上找不到任何清楚的东西。
I perform the following steps:
我执行以下步骤:
- Define Login configuration by setting the system property
"java.security.auth.login.config"
to the configuration file path. - Call
LoginContext.login()
with the name of the configuration and a self defined callback handler - In case login succeeded, "pretend to be" the subject (by using
Subject.doAs()
), and connect to the LDAP server by creating a newInitialLDAPContext
with the appropriate environment variables.
通过将系统属性“java.security.auth.login.config”设置为配置文件路径来定义登录配置。
使用配置名称和自定义的回调处理程序调用LoginContext.login()
如果登录成功,“假装成”主题(通过使用Subject.doAs()),并通过创建具有适当环境变量的新InitialLDAPContext连接到LDAP服务器。
Now, My problem is I don't understand which step correlates to which kerberos action? Is it correct to say that after the login action I only have a TGT? When do I get the service specific ticket?
现在,我的问题是我不明白哪个步骤与哪个kerberos行动相关?说登录后我只有一个TGT是正确的吗?我什么时候可以获得特定于服务的票?
Thanks, Dikla
1 个解决方案
#1
The class com.sun.security.auth.module.Krb5LoginModule is Sun's implementation of a login module for the Kerberos version 5 protocol. Upon successful authentication the Ticket Granting Ticket (TGT) is stored in the Subject's private credentials set and the Kerberos principal is stored in the Subject's principal set.
com.sun.security.auth.module.Krb5LoginModule类是Sun为Kerberos版本5协议的登录模块的实现。成功验证后,票证授予票证(TGT)存储在Subject的私有凭证集中,Kerberos主体存储在Subject的主体集中。
(Taken from here)
(摘自这里)
This means that LoginContext.login
is indeed equal to kinit
in that after each of them, we have a TGT.
这意味着LoginContext.login确实等于kinit,因为在它们之后,我们有一个TGT。
The service ticket will be obtained and used later - according to the action performed in Subject.doAs()
.
服务票证将在以后获取并使用 - 根据在Subject.doAs()中执行的操作。
#1
The class com.sun.security.auth.module.Krb5LoginModule is Sun's implementation of a login module for the Kerberos version 5 protocol. Upon successful authentication the Ticket Granting Ticket (TGT) is stored in the Subject's private credentials set and the Kerberos principal is stored in the Subject's principal set.
com.sun.security.auth.module.Krb5LoginModule类是Sun为Kerberos版本5协议的登录模块的实现。成功验证后,票证授予票证(TGT)存储在Subject的私有凭证集中,Kerberos主体存储在Subject的主体集中。
(Taken from here)
(摘自这里)
This means that LoginContext.login
is indeed equal to kinit
in that after each of them, we have a TGT.
这意味着LoginContext.login确实等于kinit,因为在它们之后,我们有一个TGT。
The service ticket will be obtained and used later - according to the action performed in Subject.doAs()
.
服务票证将在以后获取并使用 - 根据在Subject.doAs()中执行的操作。