Using Kerberos keytab to authenticate LDAP resolver with idp 4.0.x

This is a quick write-up for using Kerberos keytab to authenticate LDAP resolver with idp 4.0.x,
along with the configuration comparison with idp 3.4.x.

Special thanks to Daniel Fisher for making this possible.

Summary

In jaas.conf, change from com.sun.security.jgss.initiate to GSSAPIBindRequest
In attribute-resolver.conf, change from LDAPProperty to SASLConfig

Our java parameters for this look like,

-Djavax.security.auth.useSubjectCredsOnly=false
-Djava.security.auth.login.config=${CONF_PATH}/jaas.conf
-Djava.security.krb5.conf=/etc/krb5.conf

Configuration differences between v3 and v4

idp/config	v3.4.x	v4.0.x

idp/config

v3.4.x

v4.0.x

jaas.conf

com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt="true"
principal="service/shibboleth-xyz@foo.org"
useKeyTab="true"
debug="true"
refreshKrb5Config="true"
keyTab="/opt/shibboleth-idp/credentials/keytabs/your-keytab";
};

GSSAPIBindRequest {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt="true"
principal="service/shibboleth-xyz@foo.org"
useKeyTab="true"
debug="true"
refreshKrb5Config="true"
keyTab="/opt/shibboleth-idp/credentials/keytabs/your-keytab";
};

attribute-resolver.xml

<SASLConfig mechanism="GSSAPI" >
<SASLProperty name="javax.security.sasl.qop" value="auth-conf"/>
</SASLConfig>
<ConnectionPool
minPoolSize="%{idp.pool.LDAP.minSize:3}"
maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
expirationTime

Using Kerberos keytab to authenticate LDAP resolver with idp 4.0.x

Summary

Configuration differences between v3 and v4

References

Related articles