Using Kerberos keytab to authenticate LDAP resolver with idp 4.0.x

This is a quick write-up for using Kerberos keytab to authenticate LDAP resolver with idp 4.0.x,
along with the configuration comparison with idp 3.4.x.

Special thanks to Daniel Fisher for making this possible.

Summary

  1. In jaas.conf, change from com.sun.security.jgss.initiate to GSSAPIBindRequest
  2. In attribute-resolver.conf, change from LDAPProperty to SASLConfig


Our java parameters for this look like,

-Djavax.security.auth.useSubjectCredsOnly=false
-Djava.security.auth.login.config=${CONF_PATH}/jaas.conf
-Djava.security.krb5.conf=/etc/krb5.conf

Configuration differences between v3  and v4

idp/configv3.4.xv4.0.x
jaas.confcom.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt="true"
principal="service/shibboleth-xyz@foo.org"
useKeyTab="true"
debug="true"
refreshKrb5Config="true"
keyTab="/opt/shibboleth-idp/credentials/keytabs/your-keytab";
};
GSSAPIBindRequest {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt="true"
principal="service/shibboleth-xyz@foo.org"
useKeyTab="true"
debug="true"
refreshKrb5Config="true"
keyTab="/opt/shibboleth-idp/credentials/keytabs/your-keytab";
};
attribute-resolver.xml      <DataConnector id="suLDAP" xsi:type="LDAPDirectory"
        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
        baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
        connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
        responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"
        maxResultSize="0"
        principal="UNUSED" principalCredential="UNUSED" authenticationType="GSSAPI">
        <FilterTemplate>
            <![CDATA[
                (uid=$requestContext.principalName.replace("@foo.org", ""))
            ]]>
        </FilterTemplate>

        <LDAPProperty name="javax.security.sasl.qop"
            value="auth-conf" />
        <ConnectionPool
            minPoolSize="%{idp.pool.LDAP.minSize:3}"
            maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
            blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
            validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
            validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
            expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
            failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
    </DataConnector>

  <DataConnector id="suLDAP" xsi:type="LDAPDirectory"
        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
        baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
        connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
        responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"
        maxResultSize="0" 
failFastInitialize="true"
        principal="UNUSED" principalCredential="UNUSED" >
        <FilterTemplate>
            <![CDATA[
                (uid=$requestContext.principalName.replace("@stanford.edu", ""))
            ]]>
        </FilterTemplate>

        <SASLConfig mechanism="GSSAPI" >
             <SASLProperty name="javax.security.sasl.qop" value="auth-conf"/>
         </SASLConfig>
        <ConnectionPool
            minPoolSize="%{idp.pool.LDAP.minSize:3}"
            maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
            blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
            validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
            validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
            expirationTime




References