This is a quick write-up for using Kerberos keytab to authenticate LDAP resolver with idp 4.0.x,
along with the configuration comparison with idp 3.4.x.
Special thanks to Daniel Fisher for making this possible.
Our java parameters for this look like,
-Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=${CONF_PATH}/jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf |
idp/config | v3.4.x | v4.0.x |
---|---|---|
jaas.conf | com.sun.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt="true" principal="service/shibboleth-xyz@foo.org" useKeyTab="true" debug="true" refreshKrb5Config="true" keyTab="/opt/shibboleth-idp/credentials/keytabs/your-keytab"; }; | GSSAPIBindRequest { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt="true" principal="service/shibboleth-xyz@foo.org" useKeyTab="true" debug="true" refreshKrb5Config="true" keyTab="/opt/shibboleth-idp/credentials/keytabs/your-keytab"; }; |
attribute-resolver.xml | <DataConnector id="suLDAP" xsi:type="LDAPDirectory" ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" baseDN="%{idp.attribute.resolver.LDAP.baseDN}" connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}" responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}" maxResultSize="0" principal="UNUSED" principalCredential="UNUSED" authenticationType="GSSAPI"> <FilterTemplate> <![CDATA[ (uid=$requestContext.principalName.replace("@foo.org", "")) ]]> </FilterTemplate> <LDAPProperty name="javax.security.sasl.qop" | <DataConnector id="suLDAP" xsi:type="LDAPDirectory" ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" baseDN="%{idp.attribute.resolver.LDAP.baseDN}" connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}" responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}" maxResultSize="0" failFastInitialize="true" principal="UNUSED" principalCredential="UNUSED" > <FilterTemplate> <![CDATA[ (uid=$requestContext.principalName.replace("@stanford.edu", "")) ]]> </FilterTemplate> <SASLConfig mechanism="GSSAPI" > |
Related articles appear here based on the labels you select. Click to edit the macro and add or change labels.
|