I had a program that worked in Java 1.4. The idea was that it obtained a Krb5 ticket and then used those credentials to perform an authenticated LDAP search using a different authorization ID. The code:
Hashtable env = new Hashtable();
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
env.put("java.naming.security.sasl.authorizationId", "dn:cn=AuthUSER,ou=SUser,ou=Security,dc=umich,dc=edu");
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://ldap.itd.umich.edu:389/ou=People,dc=umich,dc=edu");
try {
DirContext ctx = new InitialDirContext(env);
String[] mfa = {"mailForwardingAddress"};
Attributes atrs = ctx.getAttributes("uid=rhoyer",mfa);
NamingEnumeration e = atrs.getAll();
while(e.hasMore()){
Attribute a = (Attribute)e.next();
System.out.println(a.getID());
NamingEnumeration f = a.getAll();
while(f.hasMore()){
System.out.println("\t" + f.nextElement().toString());
}
}
ctx.close();
} catch (NamingException e) {
System.out.println(e);
}
In 1.5.0, the above code breaks with GSSAPI Error: A token had an invalid MIC. I then tried to do it with the new SASL classes via the following:
String[] mechanisms = new String[] {"GSSAPI"};
Hashtable props = new Hashtable();
props.put(Sasl.SERVER_AUTH,"TRUE");
try{SaslClient sc = Sasl.createSaslClient(mechanisms,"dn:cn=CAEN,ou=Consulting,ou=Security,dc=umich,dc=edu",
"ldap","ldap://ldap.itd.umich.edu:389/ou=People,dc=umich,dc=edu",props,null);
...
The main goal here is to bind as AuthUSER, so any other methods of doing this are also appreciated.
Thanks for looking,
Matt