...
| Warning |
|---|
The Oracle/OpenJDK Krb5LoginModule does not support verifying the acquired ticket against a keytab. It therefore does not protect against the KDC being spoofed. (The keyTab option to the module is used in place of a password for acquiring a ticket, not for verifying it. Using it for password authentication does not make sense.) If the communication between the IdP and the KDC can be eavesdropped, then an attacker can forge reply packets from the KDC and trick the IdP into accepting any password. Therefore, if you are using Krb5LoginModule, make sure that the network between the IdP and the KDC is reasonably secure. |
| Note |
|---|
Kerberos will return a principal name of the format userid@CAMPUS.EDU (i.e. includes the realm). This could cause problems if you are then pulling attributes out of an LDAP directory for that principal, because there might not be an indexed attribute in the LDAP directory of that form. So the realm (the @CAMPUS.EDU) needs to be removed from the principal name to have just the userid left for lookup in the directory. Here is one example of how to do this in the attribute resolver configuration. |
...