I configured Websphere full (8.5.5.4) to log in with the LDAP registry and configure the authentication and expiration mechanism as "Kerberos and LTPA".
Authentication works, but when I try to execute a request in ldap with the current user, I get this exception:
An exception:
javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by org.ietf.jgss.GSSException, major code: 11, minor code: 0 major string: General failure, unspecified at GSSAPI level minor string: Error: java.lang.Exception: Error: com.ibm.security.krb5.internal.KrbException, status code: 41 message: Message stream modified]]
KRB Magazine
[KRB_DBG_KDC] KrbKdcRep:SoapConnectorThreadPool : 0: WebContainer : 3 >>> KrbKdcRep renewable option does not match: false - true
(When I remove the βrenewableβ option from krb.conf, I cannot authenticate with websphere.)
Servlet:
public class LoginServlet extends HttpServlet { @Override protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String user = request.getParameter("user"); String pass = request.getParameter("pass"); try{ com.ibm.wsspi.security.auth.callback.WSCallbackHandlerFactory factory; factory = com.ibm.wsspi.security.auth.callback.WSCallbackHandlerFactory.getInstance(); WSCallbackHandlerImpl wsCallbackHandler = new WSCallbackHandlerImpl(user,"DOCKER.BC",pass); LoginContext loginCtx = new LoginContext("system.DEFAULT", wsCallbackHandler); loginCtx.login(); Subject subject = loginCtx.getSubject(); com.ibm.websphere.security.auth.WSSubject.setRunAsSubject(subject); String seed = Subject.doAs(subject, new LdapSeedAction("CN=root,CN=Users,DC=docker,DC=bc")); com.ibm.websphere.security.auth.WSSubject.setRunAsSubject(subject);
Search
public class LdapSeedAction implements java.security.PrivilegedAction<String> { private static ResourceBundle resourceBundle = ResourceBundle.getBundle("ad-ldap"); private static final String SEED_ATTRIBUTE = "seed"; private static final String HOST = resourceBundle.getString("HOSTS"); private static final String LDAP_BASE_DN = resourceBundle.getString("LDAP_BASE_DN"); private static final String LDAP_USERS_BASE = resourceBundle.getString("LDAP_USERS_BASE"); private String distinguishedName; public LdapSeedAction(String distinguishedName) { this.distinguishedName = distinguishedName; } private String getProviderUrl() { return "ldap://" + HOST + ":389/" + LDAP_BASE_DN; } public String run() { String seed = null; Hashtable env = new Hashtable(5); String url = getProviderUrl(); String INITIAL_CONTEXT_FACTORY = "com.sun.jndi.ldap.LdapCtxFactory"; env.put(Context.INITIAL_CONTEXT_FACTORY, INITIAL_CONTEXT_FACTORY); env.put(Context.PROVIDER_URL, url);
/etc/krb5.conf
[libdefaults] default_realm = DOCKER.BC default_checksum = rsa-md5 default_keytab_name = FILE:/etc/krb5/krb5.keytab default_tkt_enctypes = rc4-hmac,des-cbc-md5,des-cbc-crc default_tgs_enctypes = rc4-hmac,des-cbc-md5,des-cbc-crc forwardable = true renewable = true noaddresses = true clockskew = 300 [realms] DOCKER.BC = { kdc = samba admin_server = samba default_domain = samba } [domain_realm] .docker.bc = DOCKER.BC