/
Using Kerberos keytab to authenticate LDAP resolver with idp 4.0.x

Using Kerberos keytab to authenticate LDAP resolver with idp 4.0.x

This is a quick write-up for using Kerberos keytab to authenticate LDAP resolver with idp 4.0.x,
along with the configuration comparison with idp 3.4.x.

Special thanks to Daniel Fisher for making this possible.

Summary

  1. In jaas.conf, change from com.sun.security.jgss.initiate to GSSAPIBindRequest
  2. In attribute-resolver.conf, change from LDAPProperty to SASLConfig


Our java parameters for this look like,

-Djavax.security.auth.useSubjectCredsOnly=false
-Djava.security.auth.login.config=${CONF_PATH}/jaas.conf
-Djava.security.krb5.conf=/etc/krb5.conf

Configuration differences between v3  and v4

idp/configv3.4.xv4.0.x
jaas.confcom.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt="true"
principal="service/shibboleth-xyz@foo.org"
useKeyTab="true"
debug="true"
refreshKrb5Config="true"
keyTab="/opt/shibboleth-idp/credentials/keytabs/your-keytab";
};
GSSAPIBindRequest {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt="true"
principal="service/shibboleth-xyz@foo.org"
useKeyTab="true"
debug="true"
refreshKrb5Config="true"
keyTab="/opt/shibboleth-idp/credentials/keytabs/your-keytab";
};
attribute-resolver.xml      <DataConnector id="suLDAP" xsi:type="LDAPDirectory"
        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
        baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
        connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
        responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"
        maxResultSize="0"
        principal="UNUSED" principalCredential="UNUSED" authenticationType="GSSAPI">
        <FilterTemplate>
            <![CDATA[
                (uid=$requestContext.principalName.replace("@foo.org", ""))
            ]]>
        </FilterTemplate>

        <LDAPProperty name="javax.security.sasl.qop"
            value="auth-conf" />
        <ConnectionPool
            minPoolSize="%{idp.pool.LDAP.minSize:3}"
            maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
            blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
            validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
            validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
            expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
            failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
    </DataConnector>

  <DataConnector id="suLDAP" xsi:type="LDAPDirectory"
        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
        baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
        connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
        responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"
        maxResultSize="0" 
failFastInitialize="true"
        principal="UNUSED" principalCredential="UNUSED" >
        <FilterTemplate>
            <![CDATA[
                (uid=$requestContext.principalName.replace("@stanford.edu", ""))
            ]]>
        </FilterTemplate>

        <SASLConfig mechanism="GSSAPI" >
             <SASLProperty name="javax.security.sasl.qop" value="auth-conf"/>
         </SASLConfig>
        <ConnectionPool
            minPoolSize="%{idp.pool.LDAP.minSize:3}"
            maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
            blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
            validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
            validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
            expirationTime




References

Related content

Using SAML Proxying in the V4 Shibboleth IdP to connect with Azure AD
Using SAML Proxying in the V4 Shibboleth IdP to connect with Azure AD
Read with this
KerberosAuthnConfiguration
KerberosAuthnConfiguration
More like this
SASLConfig
Read with this
KerberosAuthnConfiguration
KerberosAuthnConfiguration
More like this
Supporting the REFEDS MFA Profile (V4)
Supporting the REFEDS MFA Profile (V4)
Read with this
KerberosAuthnConfiguration
KerberosAuthnConfiguration
More like this