Kerberos (GSSAPI)

Kerberos can be used to authenticate to LDAP directory. In this case, you don't need to store the connection password in lsc.xml.

Here are the steps to use Kerberos with LSC.

Prerequisite

You need to have configured Kerberos client on your server first. It means you are able to do a kinit to get a valid ticket from the Kerberos server.

JAAS

Create a ./etc/gsseg_jaas.conf with the following:

/**
 * Login Configuration for JAAS.
 *
 */
org.lsc.jndi.JndiServices {
  com.sun.security.auth.module.Krb5LoginModule required client=TRUE;
};

Kerberos

Soft-link the krb5.conf file to ./etc/krb5.ini:

ln -s /etc/krb5.conf ./etc/krb5.ini

Java options

You need to add some options in the java command used by LSC. You can do that by exporting JAVA_OPTS:

export JAVA_OPTS="$JAVA_OPTS -Djavax.security.auth.useSubjectCredsOnly=false"
You can also edit /usr/bin/lsc to remember this option.

LSC

Modify the LDAP connection:

  • username: set the Kerberos username (the realm must be in uppercase)
  • password: set a dummy password
  • authentication: use GSSAPI
  • saslQop (optional): The desired quality-of-protection, allowed values are:
    • auth (default value)
    • auth-int
    • auth-conf

Example:

<ldapConnection>
      <name>adsamba4-conn</name>
      <url>ldaps://pdc.example.org:636/dc=ad,dc=example,dc=org</url>
      <username>adminlsc@EXAMPLE.ORG</username>
      <password>not_really</password>
      <authentication>GSSAPI</authentication>
      <referral>IGNORE</referral>
      <derefAliases>NEVER</derefAliases>
      <version>VERSION_3</version>
      <pageSize>1000</pageSize>
      <factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
      <tlsActivated>false</tlsActivated>
      <saslQop>auth</saslQop>
</ldapConnection>

Kerberos init

Open a Kerberos connection:

kinit adminlsc@EXAMPLE.ORG
You can also load principal from keytab

Run LSC

You can now run LSC, it will authenticate trough Kerberos.

If you need to debug, set these additional Java options: -Dsun.security.jgss.debug=true -Dsun.security.krb5.debug=true