Kerberos (GSSAPI)
Kerberos can be used to authenticate to LDAP directory. In this case, you don't need to store the connection password in lsc.xml
.
Here are the steps to use Kerberos with LSC.
Prerequisite
You need to have configured Kerberos client on your server first. It means you are able to do a kinit to get a valid ticket from the Kerberos server.
JAAS
Create a ./etc/gsseg_jaas.conf with the following:
/** * Login Configuration for JAAS. * */ org.lsc.jndi.JndiServices { com.sun.security.auth.module.Krb5LoginModule required client=TRUE; };
Kerberos
Soft-link the krb5.conf file to ./etc/krb5.ini:
ln -s /etc/krb5.conf ./etc/krb5.ini
Java options
You need to add some options in the java command used by LSC. You can do that by exporting JAVA_OPTS:
export JAVA_OPTS="$JAVA_OPTS -Djavax.security.auth.useSubjectCredsOnly=false"
You can also edit
/usr/bin/lsc
to remember this option.
LSC
Modify the LDAP connection:
- username: set the Kerberos username (the realm must be in uppercase)
- password: set a dummy password
- authentication: use
GSSAPI
- saslQop (optional): The desired quality-of-protection, allowed values are:
- auth (default value)
- auth-int
- auth-conf
Example:
<ldapConnection> <name>adsamba4-conn</name> <url>ldaps://pdc.example.org:636/dc=ad,dc=example,dc=org</url> <username>adminlsc@EXAMPLE.ORG</username> <password>not_really</password> <authentication>GSSAPI</authentication> <referral>IGNORE</referral> <derefAliases>NEVER</derefAliases> <version>VERSION_3</version> <pageSize>1000</pageSize> <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> <tlsActivated>false</tlsActivated> <saslQop>auth</saslQop> </ldapConnection>
Kerberos init
Open a Kerberos connection:
kinit adminlsc@EXAMPLE.ORG
You can also load principal from keytab
Run LSC
You can now run LSC, it will authenticate trough Kerberos.
If you need to debug, set these additional Java options:
-Dsun.security.jgss.debug=true
-Dsun.security.krb5.debug=true
This documentation was done thanks to Francesco Malvezzi (http://lists.lsc-project.org/pipermail/lsc-users/2013-December/001687.html) and Franck Rakotonindrainy(http://lists.lsc-project.org/pipermail/lsc-users/2015-June/002607.html)