I have a Tomcat configuration that uses Kerberos 5 to authenticate the user against AD server and then uses LDAP to obtain roles for authorization against a security-constraint.
server.xml has this:
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="vt-ldap"
userClassNames="edu.vt.middleware.ldap.jaas.LdapPrincipal"
roleClassNames="edu.vt.middleware.ldap.jaas.LdapRole"/>
and the jaas config file has this:
vt-ldap {
com.sun.security.auth.module.Krb5LoginModule required
storePass="true"
debug="true";
edu.vt.middleware.ldap.jaas.LdapDnAuthorizationModule required
serviceUser="CN=LIM User,OU=LIMGenericAccounts,DC=lim,DC=com"
serviceCredential="password"
useFirstPass="true"
setLdapPrincipal="true"
setLdapDnPrincipal="true"
tls="false"
subtreeSearch="true"
logCredentials="true"
storePass="true"
ldapUrl="ldap://auswa01.lim.com:389"
base="ou=LIMUsers,dc=lim,dc=com"
userField="sAMAccountName";
edu.vt.middleware.ldap.jaas.LdapRoleAuthorizationModule required
serviceUser="CN=LIM User,OU=LIMGenericAccounts,DC=lim,DC=com"
serviceCredential="password"
useFirstPass="true"
setLdapPrincipal="true"
setLdapDnPrincipal="true"
tls="false"
subtreeSearch="true"
logCredentials="true"
storePass="true"
ldapUrl="ldap://auswa01.lim.com:389"
base="ou=LIMGroups,dc=lim,dc=com"
roleFilter="(member={0})"
roleAttribute="sAMAccountName";
};
The Kerberos authentication works great. But in the subsequent phases (obtaining the roles from LDAP used for authorization) the serviceCredential (password) is passed on the LAN in clear text.
Is there any way to avoid sending the password in clear text? Perhaps there is a way to access LDAP to obtain roles using the Kerberos ticket instead of the serviceUser/serviceCredential info (?)...
Anyone?