here is the full code which i am using to perfomr the search
Hiii, i am trying to perfomr ldap serach, when i logged into ldap using kerberos, and tried to perform the search i get this error message,
javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.s
asl.SaslException: GSS initiate failed [Caused by GSSException: No valid credent
ials provided (Mechanism level: KDC has no support for encryption type (14))]]
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
kindly find below my code and conf files
/-- Krb5.conf
[libdefaults]
default_realm = FGB.AE
[kadmin]
default_keys = v5 arcfour-hmac-md5
[realms]
FGB.AE = {
kdc = administrator
kdc = 172.20.10.9
admin_server = administrator
default_domain = FGB.AE
}
[domain_realm]
.fgb.ae = FGB.AE
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
--//
//-- Jaas.conf
GssConf
{com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true doNotPrompt=true;};
LoginJaas
{com.sun.security.auth.module.Krb5LoginModule required debug=true useTicketCache=true;};
--//
[b]//-- LoginJaas.java
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.Iterator;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.BasicAttributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchResult;
//import principal.JaasRolePrincipal;
import com.sun.security.auth.callback.TextCallbackHandler;
import java.security.PrivilegedAction;
public class LoginJaas {
public static void main(String[] args) throws Exception {
System.setProperty("java.security.auth.login.config", "Jaas.conf");
System.setProperty("java.security.krb5.conf", "krb5.conf");
LoginContext lc = null;
//lc = new LoginContext("LoginJaas", new com.sun.security.auth.callback.TextCallbackHandler());
//lc.login();
System.out.println(lc.getSubject());
samaccountname();
lc.logout();
}
public static void samaccountname(){
actions pSA = new actions();
pSA.search("f3482","sAMAccountName");
if (searchLDAP.modException != null){
System.out.print(searchLDAP.modException);
}
}
}
--//[/b]
[b]//-- actions.java
import javax.security.auth.Subject;
public class actions {
KerberosaAuth pKA = new KerberosaAuth();
public String search(String sUserName, String sFilter){
pKA.KerberosAuth();
String sTRDN = sUserName;
String sResults = new String();
sResults = (Subject.doAs(pKA.lc.getSubject(), new searchLDAP(sTRDN, sFilter)).toString());
return sResults;
}
}
--//[/b]
[b]//- KerberosaAuth.java
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import com.sun.security.auth.callback.TextCallbackHandler;
public class KerberosaAuth {
/********************************************************
*Kerberos Authentication
*********************************************************/
LoginContext lc = null;
public void KerberosAuth() {
/*java.util.Properties p =
new java.util.Properties(System.getProperties());
//p.setProperty("java.security.krb5.realm", "fgb.ae");
//p.setProperty("java.security.krb5.kdc", "FGBDC1.fgb.ae");
//p.setProperty("java.security.auth.login.config", (getClass().getResource("Jaas.conf")).toString());*/
System.setProperty("java.security.auth.login.config", "Jaas.conf");
System.setProperty("java.security.krb5.conf", "krb5.conf");
//System.setProperties(p);
try {
lc =
new LoginContext("GssConf",new TextCallbackHandler());
// Attempt authentication
lc.login();
System.out.println(lc.getSubject());
} catch (LoginException le) {
System.err.println("Authentication attempt failed: " + le);
System.exit(-1);
}
}
}
--//[/b]
[b]//-- searchLDAP.java
import java.util.Hashtable;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
class searchLDAP implements java.security.PrivilegedAction {
private static Matcher mGMatch;
private static Pattern pGPattern;
private static String sGDesc = new String();
private static String sRegex = ",DC=fgb,DC=ae";
private static String sGRegex = ",OU=fgb,OU=HO";
private static String ssGRegex = "CN=Users";
private static String sReplace = "";
public String sTRUN = new String();
public String sFilter = new String();
public static String sName = new String();
private static final long serialVersionUID = 1-1;
public static String sResults = new String();
public static String ssResults = new String();
public static String sUserAttrib = "";
public static String modException;
public String sTRDN = new String();
public String sErrorResult = new String();
public static String[] sAttrIDs;
public static String sSAMField = new String();
public static String sNameField = new String();
public static String sDepartmentField = new String();
public static String sMailField = new String();
public static String sIsAccountLockedField = new String();
public static String sEmployeeIDField = new String();
public searchLDAP(String ssTRDN, String ssFilter) {
sTRDN = ssTRDN;
sFilter = ssFilter;
}
public Object run() {
performSearch(sTRDN,sFilter);
return sResults;
}
private void performSearch(String sTRDN, String sFilter) {
/* Specify the ids of the attributes to return */
sAttrIDs = new String[6];
sAttrIDs [ 0 ] = "sAMAccountName";
sAttrIDs [ 1 ] = "department";
sAttrIDs [ 2 ] = "mail";
sAttrIDs [ 3 ] = "employeeID" ;
sAttrIDs [ 4 ] = "displayName";
sAttrIDs [ 5 ] = "IsAccountLocked";
String[] sGAttrIDs = {"description"};
String[] ssGAttrIDs = new String [ 3 ];
ssGAttrIDs [ 0 ] = "memberOf";
ssGAttrIDs [ 1 ] = "userAccountControl";
ssGAttrIDs [ 2 ] = "sAMAccountName";
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL,"ldap://FGBDC1.fgb.ae:389");
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
env.put("javax.security.sasl.server.authentication", "true");
String filter = "(&("+ sFilter+"=" + sTRDN + ")(!(objectclass=computer)))";
modException = null;
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
//constraints.setReturningAttributes(sAttrIDs);
constraints.setTimeLimit( 6000 );
constraints.setDerefLinkFlag( false );
constraints.setReturningObjFlag( false );
try {
/* Create initial context */
sName = null;
ssResults = null;
modException = null;
DirContext ctx = new InitialDirContext(env);
NamingEnumeration answer = ctx.search ("OU=Departments", filter , constraints );
while (answer != null && answer.hasMore()) {
/* return the partially qualified name CN="", OU="" */
SearchResult nextEntry = ( SearchResult )answer.next();
sName = (nextEntry.getName());
ssResults = sName;
Attributes aAnswer = ctx.getAttributes(sName + ",OU=Departments",sAttrIDs);
if (sTRDN.contains("*")){
}else{
int numLabels = sAttrIDs.length;
for (int i = 0; i < numLabels; i++) {
if ((aAnswer.get(sAttrIDs[i])) != null) {
sAttrIDs[i]=(aAnswer.get(sAttrIDs[i]).get().toString());
}
}
if (sAttrIDs[3].contains("employeeID")){
sAttrIDs[3]="";
}
if (sAttrIDs[5].contains("IsAccountLocked")){
sAttrIDs[5]="";
}
}
try {
Attributes aGAnswer = ctx.getAttributes(sName + ",OU=Departments",ssGAttrIDs);
if (aGAnswer.toString().contains("514")){
sResults = ((aAnswer.get("sAMAccountName").get()) + " , " + "*******ACCOUNT IS LOCKED*******");
System.out.println(sResults + '\n');
if (sTRDN.contains("*")){
}else{
sAttrIDs[5] = "ACCOUNT IS LOCKED";
}
}else{
sResults = (sName);
}
Attribute amemberOf = aGAnswer.get("memberOf");
if (amemberOf != null){
/* print each value */
NamingEnumeration eGroup = amemberOf.getAll();
while (eGroup.hasMore()) {
sGDesc = (eGroup.nextElement().toString());
pGPattern = Pattern.compile(sGRegex);
mGMatch = pGPattern.matcher(sGDesc);
while(mGMatch.find()) {
pGPattern = Pattern.compile(sRegex);
mGMatch = pGPattern.matcher(sGDesc);
sGDesc = mGMatch.replaceAll(sReplace);
Attributes aGroup = ctx.getAttributes(sGDesc, sGAttrIDs);
/* "sDesc" is the description of the group */
String sDesc = (aGroup.get("description").get().toString());
/* The following replaces the distinguished name "SGDesc" with the cn for display*/
pGPattern = Pattern.compile(ssGRegex);
mGMatch = pGPattern.matcher(sGDesc);
sGDesc = mGMatch.replaceAll(sReplace);
pGPattern = Pattern.compile(sGRegex);
mGMatch = pGPattern.matcher(sGDesc);
sGDesc = mGMatch.replaceAll(sReplace);
System.out.println(sGDesc +": "+ " (" + sDesc + " )");
}
}
}
} catch (NamingException le) {
modException = (le.toString());
sErrorResult = modException;
}
System.out.println(sName + ": "+'\n'+ "Authorization Groups: ");
if (sTRDN.contains("*")){
NamingEnumeration enumUserInfo = aAnswer.getAll();
while(enumUserInfo.hasMoreElements()) {
sResults = (enumUserInfo.nextElement().toString());
System.out.println(sResults);
}
}
}
/***************************************************/
} catch (NamingException e)
{/* open catch */
modException = (e.toString());
sErrorResult = modException;
}/* close catch */
/***************************************************/
}
}
--//[/b]
Can anyone help me
kindly find the full output when i am tryinbg to run my program
/-
C:\PROGRA~1\Java\jdk1.5.0_06\bin>java LoginJaas
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt fa
lse ticketCache is null KeyTab is null refreshKrb5Config is false principal is n
ull tryFirstPass is false useFirstPass is false storePass is false clearPass is
false
Acquire TGT from Cache
Principal is F3482@FGB.AE
Commit Succeeded
Subject:
Principal: F3482@FGB.AE
Private Credential: Ticket (hex) =
0000: 61 82 03 8E 30 82 03 8AA0 03 02 01 05 A1 08 1B a...0...........
0010: 06 46 47 42 2E 41 45 A21B 30 19 A0 03 02 01 02 .FGB.AE..0......
0020: A1 12 30 10 1B 06 6B 7262 74 67 74 1B 06 46 47 ..0...krbtgt..FG
0030: 42 2E 41 45 A3 82 03 5A30 82 03 56 A0 03 02 01 B.AE...Z0..V....
0040: 17 A1 03 02 01 02 A2 8203 48 04 82 03 44 39 CA .........H...D9.
0050: A8 98 91 28 3D E2 46 A5DF 23 68 89 A6 A5 05 9A ...(=.F..#h.....
0060: CF 54 5F D6 99 97 1B D181 3E 1F 1D 24 CC 19 8E .T_......>..$...
0070: 32 12 FE F7 99 A8 E8 9F00 29 51 D9 63 83 80 96 2........)Q.c...
0080: 21 9D FE E3 40 32 7A 992D 19 1B E2 8C 07 BD C3 !...@2z.-.......
0090: A0 83 13 A6 23 45 97 6F2F 1E 2D 87 51 7D 90 2E ....#E.o/.-.Q...
00A0: AB 32 55 89 53 CD 03 59D3 68 44 45 A0 9B 1D 98 .2U.S..Y.hDE....
00B0: 7B D2 C5 14 FC 8A 48 18C2 17 1F 3C 22 C9 9E A9 ......H....<"...
00C0: B7 83 06 BA 44 6E 58 8D4A A9 95 5F F7 B2 CF 6C ....DnX.J.._...l
00D0: DE 8F AF 05 26 62 58 9026 38 36 C1 69 15 F9 31 ....&bX.&86.i..1
00E0: 63 27 1F 3D FE 14 E5 1F35 AD 2C 3D 1C AC 1D F8 c'.=....5.,=....
00F0: DB 2D FB 4D 05 C4 98 E455 9D BC 5A 21 A2 D2 D0 .-.M....U..Z!...
0100: 0C 02 F8 83 2F CA CF 2DB5 9B 53 3A 74 DC 23 4E ..../..-..S:t.#N
0110: D9 2D 3F 38 53 EF 32 7B12 8B E0 58 2C AE F4 00 .-?8S.2....X,...
0120: A8 87 1C 44 C4 F2 BA 094D 18 FE 7D 78 69 C4 2A ...D....M...xi.*
0130: 6D 3E EB 15 F9 21 01 FA81 18 84 C8 94 0C CD 2C m>...!.........,
0140: 38 DF ED 54 5F 26 6E 1A90 FB 59 E7 F6 52 CE C5 8..T_&n...Y..R..
0150: 79 49 6D 50 E0 CE 62 B02D 2D A8 AF 3A 21 16 DD yImP..b.--..:!..
0160: 52 97 3A 41 2C 57 8C A5E8 66 CE 01 B8 FC 19 1E R.:A,W...f......
0170: 4A 0F 3F D6 17 7A F0 35A5 21 5A 9A FD D1 94 14 J.?..z.5.!Z.....
0180: 73 2D B2 BF 10 3C 72 FDA6 74 C4 FB 04 5E 11 93 s-...<r..t...^..
0190: 36 F3 95 B5 E1 22 20 4370 A3 C3 90 08 2A D5 54 6...." Cp....*.T
01A0: EF 52 DB C2 7E 4C 98 E559 4A FC 03 1F 03 24 4D .R...L..YJ....$M
01B0: 7E 68 BC 09 19 7F 14 C232 CE 81 82 DA AA 77 2D .h......2.....w-
01C0: C0 3B 8D AD BE 71 97 7C53 41 61 45 D0 C9 3A 3E .;...q..SAaE..:>
01D0: FE 60 B2 9E 17 80 F3 BD05 C3 FD 93 E6 D8 8E FF .`..............
01E0: C2 4B 3F B1 74 0F D9 832D 37 B8 92 50 11 C7 92 .K?.t...-7..P...
01F0: 42 02 81 17 4B 48 19 C259 4A FA 5B C2 E0 D6 09 B...KH..YJ.[....
0200: BE E9 45 72 6E ED 41 51D7 CD C8 B2 0E 5E 6A 40 ..Ern.AQ.....^j@
0210: A7 AB DF 16 CC 0F FA 9746 7F AB 45 A1 D9 7C 9B ........F..E....
0220: 1F 5A 8D 46 32 60 1C 1FEF 4B CD C5 F6 C4 16 4C .Z.F2`...K.....L
0230: 96 BF C8 EF 95 54 19 BDB7 C3 AF 6B 80 7A 06 3F .....T.....k.z.?
0240: 1D FE 95 B7 45 FE D3 619C 86 D1 50 48 24 89 B2 ....E..a...PH$..
0250: 6D D9 73 47 EF B1 5C D5CF A8 5D C7 20 70 FD 31 m.sG..\...]. p.1
0260: 5A D2 1B F8 58 D7 28 92AD CF 20 F3 D1 2A DD DB Z...X.(... ..*..
0270: 2E 79 AC DB E0 04 CC 8016 2B 07 8F F3 A7 BA 32 .y.......+.....2
0280: 53 42 98 45 95 E2 F1 E301 8F 62 58 0F 38 55 C8 SB.E......bX.8U.
0290: 77 B2 93 B5 CB 7F AE 0C84 96 FB 20 FE 59 50 D3 w.......... .YP.
02A0: 22 00 DE 73 E1 61 B4 4C33 B2 E5 E7 13 DA 40 E1 "..s.a.L3.....@.
02B0: 1B 3D 12 12 16 15 63 96AA C7 D4 A5 49 15 83 9E .=....c.....I...
02C0: BE 7C 29 97 39 F7 F4 8D67 9C 66 9A 9D 5F 40 65 ..).9...g.f.._@e
02D0: 85 DC 52 AC 11 97 F1 D2D4 53 E8 B2 E3 B7 01 AA ..R......S......
02E0: 38 F4 D8 62 AD 4E EE 2EA5 3A 24 B4 BA B9 0F 1C 8..b.N...:$.....
02F0: 17 31 0E 05 1A DC 54 8F33 6C 26 8F 82 39 0E 3F .1....T.3l&..9.?
0300: 04 38 E0 74 4F 2C DF 219F 0C 66 23 7E 92 4C 15 .8.tO,.!..f#..L.
0310: 42 1A D3 A8 9D 06 54 E90B 54 05 D5 54 BF 86 E8 B.....T..T..T...
0320: 4D 61 2B E9 29 D8 C1 BDEC 4E D2 A4 65 0F F1 EF Ma+.)....N..e...
0330: 93 D2 CD A0 40 F0 48 45DA D6 5A 7A 3F 69 1C 09 ....@.HE..Zz?i..
0340: 95 7B F7 01 4C 5E F8 2442 B6 05 4B 98 1F C4 47 ....L^.$B..K...G
0350: F5 77 3F 3C EE 56 2E A79F FB CA 85 9D CD 45 05 .w?<.V........E.
0360: 53 CF 1A 68 C4 71 76 13B2 39 39 54 65 B1 14 56 S..h.qv..99Te..V
0370: B1 EB F3 1A 0B 5D 32 BB7C 11 F0 A7 C6 0B 82 C3 .....]2.........
0380: 70 4A AC E3 47 C5 5E CF17 B0 A4 60 14 EE 93 9F pJ..G.^....`....
0390: B2 99
Client Principal = F3482@FGB.AE
Server Principal = krbtgt/FGB.AE@FGB.AE
Session Key = EncryptionKey: keyType=0 keyBytes (hex dump)= Empty Key
Forwardable Ticket true
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket true
Initial Ticket true
Auth Time = Tue Aug 22 12:05:38 GMT+04:00 2006
Start Time = Tue Aug 22 12:05:38 GMT+04:00 2006
End Time = Tue Aug 22 22:05:38 GMT+04:00 2006
Renew Till = Tue Aug 29 12:05:38 GMT+04:00 2006
Client Addresses Null
javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.s
asl.SaslException: GSS initiate failed [Caused by GSSException: No valid credent
ials provided (Mechanism level: KDC has no support for encryption type (14))]]
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
//
i am able to authinticate using kerberos but when i tried to search my ldap then it give the error message can anyone help
