views:

126

answers:

1

Is there a way in Java to query Active Directory for a users attributes given an existing javax.security.auth.kerberos.KerberosTicket that was forwarded to my code? I know I want to use Ldap to do the search but I am confused on how to use this KerberosTicket object to Bind to ldap. Currently I am using Spring-Ldap and Spring-Security to communicate with Active Directory and using simple authenticate credentials I can Bind a username and password to authenticate my user and retrieve all my attributes, roles, etc. However in the case when I am passed a KerberosTicket from that Active Directory server I do now know how to Bind myself because I don't know the password for this user. I am currently not calling login() from a LoginContext to get my KerberosTicket its been forwarded to my code as an encrypted java object.

A: 

In your LDAP connection environment, set Context.SECURITY_AUTHENTICATION to "GSSAPI". Then create the InitialLdapContext inside a privileged action:

InitialLdapContext context; Subject.doAs(subject, new PrivilegedAction() { public Object run() { context = new InitialLdapContext(env, null); } };

You get the subject variable by calling getSubject() on your LoginContext. env is the environment. You will have to catch a NamingException somehow. Notice that to make this work on newer Windows versions, you have to set a Registry entry, see http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html (search for registry).

cdauth