Kerberos (GSSAPI)

Kerberos can be used to authenticate to LDAP directory. In this case, you don't need to store the connection password in lsc.xml.

Here are the steps to use Kerberos with LSC.

You need to have configured Kerberos client on your server first. It means you are able to do a kinit to get a valid ticket from the Kerberos server.

Create a ./etc/gsseg_jaas.conf with the following:

/**
 * Login Configuration for JAAS.
 *
 */
org.lsc.jndi.JndiServices {
  com.sun.security.auth.module.Krb5LoginModule required client=TRUE;
};

Soft-link the krb5.conf file to ./etc/krb5.ini:

ln -s /etc/krb5.conf ./etc/krb5.ini

You need to add some options in the java command used by LSC. You can do that by exporting JAVA_OPTS:

export JAVA_OPTS="$JAVA_OPTS -Djavax.security.auth.useSubjectCredsOnly=false"

Modify the LDAP connection:

• username: set the Kerberos username (the realm must be in uppercase)
• password: set a dummy password
• authentication: use GSSAPI
• saslQop (optional): The desired quality-of-protection, allowed values are:
  • auth (default value)
  • auth-int
  • auth-conf

Example:

<ldapConnection>
      <name>adsamba4-conn</name>
      <url>ldaps://pdc.example.org:636/dc=ad,dc=example,dc=org</url>
      <username>adminlsc@EXAMPLE.ORG</username>
      <password>not_really</password>
      <authentication>GSSAPI</authentication>
      <referral>IGNORE</referral>
      <derefAliases>NEVER</derefAliases>
      <version>VERSION_3</version>
      <pageSize>1000</pageSize>
      <factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
      <tlsActivated>false</tlsActivated>
      <saslQop>auth</saslQop>
</ldapConnection>

Open a Kerberos connection:

kinit adminlsc@EXAMPLE.ORG

You can now run LSC, it will authenticate trough Kerberos.