Search code examples
javaldapkerberosjaasgssapi

Connecting to ldap using GSSAPI. Wrong service principal

I'm trying to connect to ldap server using SASL. I'm connecting using url ldaps://ldap.example.com but server hostname is host.example.com. ldap.example.com is cname for host.example.com. My program is trying to get service ticket for ldap/ldap.example.com instead of performing reverse dns request and getting ticket for ldap/host.example.com. Everything works fine when I'm using ldap://host.example.com but I prefer to use service CNAME.

There is my code for creating connection factory:

public DefaultConnectionFactory connectionFactory(){
    return new DefaultConnectionFactory(connectionConfig());
}

private ConnectionConfig connectionConfig(){
    final SaslConfig saslConfig = new SaslConfig();
    saslConfig.setMechanism(Mechanism.GSSAPI);

    final BindConnectionInitializer connectionInitializer = new BindConnectionInitializer();
    connectionInitializer.setBindSaslConfig(saslConfig);

    ConnectionConfig connConfig = new ConnectionConfig("ldaps://ldap.example.com");
    connConfig.setConnectionInitializer(connectionInitializer);
    return connConfig;
}

and jaas.config:

com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    keyTab="/etc/ldap.keytab"
    principal="[email protected]"
    storeKey=true
    useKeyTab=true
    debug=true
    ;
};

Is there any way to change this behavior?

Solution

  • You should request a new certificate with ldap.example.com as the subject name and with host.example.com as a subject alternative name. The certificate negotiation is handled right before Kerberos.

    A couple more suggestions:

    1. All SPNs should be defined in your KDC:

    LDAP/ldap.example.com

    LDAP/host.example.com

    1. Both of these A records should be set in DNS. Avoid use of CNAMES, while it might be OK at any given time, different browser versions and future updates could cause inconsistent behavior:

    ldap.example.com

    host.example.com

    1. The principal in jaas.config and the keytab should match. You have:

    principal="[email protected]"

    I suggest it should be: principal=“ldap/host.example.com“;

    1. Finally, ldap/host.example.com should be defined as the SPN in your keytab. If it is not, it might be OK, as long as you either (1) add it as an additional SPN related in the keytab: How do you add multiple SPNs to the same keytab file for Spnego or Kerberos Configuration? or (2) see Setspn if you are using Active Directory and you application server supports it.

    See further reading on GSSAPI.