A sample Kerberos project using ApacheDS directory service.
You should have git installed
$ git clone git://github.com/mauiroma/kerberos-using-apacheds.git
Forked from:
$ git clone git://github.com/kwart/kerberos-using-apacheds.git
You need to have Maven installed
$ cd kerberos-using-apacheds
$ mvn clean package
Launch the generated JAR file. You can put LDIF files as the program arguments:
$ java -jar target/kerberos-using-apacheds.jar test.ldif
You can use property ${hostname}
in the LDIF file and it will be replaced by the canonical server host name:
dn: uid=HTTP,ou=Users,dc=jboss,dc=org
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: HTTP
sn: Service
uid: HTTP
userPassword: httppwd
krb5PrincipalName: HTTP/${hostname}@JBOSS.ORG
krb5KeyVersionNumber: 0
The server binds to localhost
by default. If you want to change it, set the Java system property kerberos.bind.address
:
$ java -Dkerberos.bind.address=192.168.0.1 -jar target/kerberos-using-apacheds.jar test.ldif
The application generates simple krb5.conf
file when launched in the current directory. If you want to use another file,
specify the kerberos.conf.path
system property:
$ java -Dkerberos.conf.path=./krb5.conf -jar target/kerberos-using-apacheds.jar test.ldif
Either configure the JBOSS.ORG realm in the /etc/krb5.conf
or define alternative path using KRB5_CONFIG
system variable
$ export KRB5_CONFIG=/tmp/krb5.conf
Authenticate as a sample user from your LDIF file (test.ldif
)
$ kinit [email protected]
Password for [email protected]: password
Verify issued token:
$ klist
Remove issued token:
$ kdestroy
Use stop
command line argument:
$ java -jar target/kerberos-using-apacheds.jar stop
The project contains a simple Kerberos keytab generator:
$ java -classpath kerberos-using-apacheds.jar org.jboss.test.kerberos.CreateKeytab
Kerberos keytab generator
-------------------------
Usage:
java -classpath target/kerberos-using-apacheds.jar org.jboss.test.kerberos.CreateKeytab <principalName> <passPhrase> [<principalName2> <passPhrase2> ...] <outputKeytabFile>
$ java -classpath target/kerberos-using-apacheds.jar org.jboss.test.kerberos.CreateKeytab HTTP/[email protected] httppwd http.keytab
Keytab file was created: $PWD/http.keytab
$ ktutil -k http.keytab list
$ java -classpath target/kerberos-using-apacheds.jar org.jboss.test.kerberos.CreateKeytab remote/[email protected] remotepwd remote.keytab
Keytab file was created: $PWD/remote.keytab
$ ktutil -k remote.keytab list
cp krb5.conf http.keytab remote.keytab $EAP72_HOME/standalone/
$EAP72_HOME/bin/standalone.sh
cd demo-app
$EAP72_HOME/bin/jboss-cli.sh -c --file=jboss-cli-command.cli
mvn clean package
mv target/spnego-demo.war $EAP72_HOME/deployment
sh ./run-browser.sh
The browser uses the system krb5.conf, so you need to copy krb5.conf into /etc/
dir
sudo cp /etc/krb5.conf /etc/krb5.conf_ORIGINAL
sudo cp krb5.conf /etc/
The script run-browser.sh
open a Chrome istance where all settings are applied
Got to about:config
and edit follow items:
network.negotiate-auth.trusted-uris = localhost
network.automatic-ntlm-auth.trusted-uris = localhost
if you used tstark
user when you ran kinit
command you be able to view marvel
page but not dccomics page
if you used bwayne
user when you ran kinit
command you be able to view dccomics
page but not marvel page
if you missed to authenticate with kerberos, the security method allow fallback with basic where the browser prompt in order to insert credentials