Using Kerberos keytab to authenticate LDAP resolver with idp 4.0.x
This is a quick write-up for using Kerberos keytab to authenticate LDAP resolver with idp 4.0.x,
along with the configuration comparison with idp 3.4.x.
Special thanks to Daniel Fisher for making this possible.
Summary
- In jaas.conf, change from com.sun.security.jgss.initiate to GSSAPIBindRequest
- In attribute-resolver.conf, change from LDAPProperty to SASLConfig
Our java parameters for this look like,
-Djava.security.auth.login.config=${CONF_PATH}/jaas.conf
-Djava.security.krb5.conf=/etc/krb5.conf
Configuration differences between v3 and v4
idp/config | v3.4.x | v4.0.x |
---|---|---|
jaas.conf | com.sun.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt="true" principal="service/shibboleth-xyz@foo.org" useKeyTab="true" debug="true" refreshKrb5Config="true" keyTab="/opt/shibboleth-idp/credentials/keytabs/your-keytab"; }; | GSSAPIBindRequest { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt="true" principal="service/shibboleth-xyz@foo.org" useKeyTab="true" debug="true" refreshKrb5Config="true" keyTab="/opt/shibboleth-idp/credentials/keytabs/your-keytab"; }; |
attribute-resolver.xml | <DataConnector id="suLDAP" xsi:type="LDAPDirectory" ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" baseDN="%{idp.attribute.resolver.LDAP.baseDN}" connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}" responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}" maxResultSize="0" principal="UNUSED" principalCredential="UNUSED" authenticationType="GSSAPI"> <FilterTemplate> <![CDATA[ (uid=$requestContext.principalName.replace("@foo.org", "")) ]]> </FilterTemplate> <LDAPProperty name="javax.security.sasl.qop" | <DataConnector id="suLDAP" xsi:type="LDAPDirectory" ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" baseDN="%{idp.attribute.resolver.LDAP.baseDN}" connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}" responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}" maxResultSize="0" failFastInitialize="true" principal="UNUSED" principalCredential="UNUSED" > <FilterTemplate> <![CDATA[ (uid=$requestContext.principalName.replace("@stanford.edu", "")) ]]> </FilterTemplate> <SASLConfig mechanism="GSSAPI" > |
References
Related articles