back to all blogsSee all blog posts

LDAP connection support for Kerberos authentication in Open Liberty 21.0.0.4-beta

image of author
Austin Bailey on Mar 22, 2021

Open Liberty 21.0.0.4-beta contains new authentication methods for LDAP connections and the complete suite of Jakarta EE 9 API candidates.

With the release of Open Liberty 21.0.0.3, MicroProfile 4.0 and associated components are promoted to the general availability release. For more information, see the Open Liberty 21.0.0.3 release blog post.

We have two beta packages for Open Liberty:

  • All Beta Features: a larger package that contains all Open Liberty beta features (including Jakarta EE 9 beta features) and GA features and functions.

  • Jakarta EE 9 Beta Features: a lightweight package that contains only the Jakarta EE 9 features.

This means that you can now try out our in-development Open Liberty features by just adding the relevant coordinates to your build tools.

If you try either package, let us know what you think.

All Beta Features package

The All Beta Features package includes the following beta features:

LDAP connection support for Kerberos authentication

LDAP bind operations are used to authenticate clients (and the users or applications behind them) to the directory server. This establishes an authorization identity that is used for subsequent operations that are processed on that connection, and specifies the LDAP protocol version that the client uses. Before this update, the LdapRegistry element supported binding either anonymously or by using simple authentication with a user (bindDN) and password (bindPassword). This update adds an option to bind to LDAP: GSSAPI/Kerberos. Kerberos is an authentication mechanism that allows a client and service to mutually authenticate by a Key Distribution Center (KDC). In Open Liberty 21.0.0.4-beta, you can use either a Kerberos credential cache (ccache) or a Kerberos keytab file.

To update an LdapRegistry to use the GSSAPI/Kerberos option, you can set the bind authentication mechanism type using the new LdapRegistry attribute, bindAuthMechanism:

bindAuthMechanism="GSSAPI"

You also need the Kerberos principal or Service Principal Name:

krb5Principal="[email protected]"

If you are using a Kerberos credential cache (ticket cache or ccache) to store the Kerberos credentials, add the ticket cache file name to the LdapRegistry with the new attribute, krb5TicketCache:

krb5TicketCache="${server.config.dir}/security/krb5-user1.cc"

If you are using a custom Kerberos configuration file (krb.conf or krb.ini), set the file name using the global Kerberos configuration element:

<kerberos configFile="${server.config.dir}/security/krb5.conf"/>

If you are using a Kerberos keytab file to store encrypted keys for principals, set the file using the global Kerberos configuration element:

<kerberos keytab="${server.config.dir}/security/krb5.keytab" configFile="${server.config.dir}/security/krb5.conf"/>

If the Kerberos configuration file is not defined, Open Liberty will attempt to resolve by using the JDK default locations and the operating system default locations.

For the Kerberos credentials, the locations are checked in the following order: the ticket cache (if provided), the configured keytab file, and finally the JDK default location.

The following example shows how to configure the LdapRegistry element using a ticket cache and custom Kerberos config file:

<kerberos keytab= configFile="${server.config.dir}/security/krb5.conf"/>

<ldapRegistry id="LDAP" realm="SampleLdapADRealm" host="ldap_hostname" port="389" ignoreCase="true" baseDN="DC=example,DC=com" bindAuthMechanism="GSSAPI" krb5Principal="[email protected]" krb5TicketCache="${server.config.dir}/security/krb5-user1.cc" ldapType="Custom" />

The following example shows how to configure an LDAP Registry using a keytab and custom Kerberos config file:

<kerberos keytab="${server.config.dir}/security/krb5.keytab" configFile="${server.config.dir}/security/krb5.conf" />

<ldapRegistry id="LDAP" realm="SampleLdapADRealm" host="ldap_hostname" port="389" ignoreCase="true" baseDN="DC=example,DC=com" bindAuthMechanism="GSSAPI" krb5Principal="[email protected]" ldapType="Custom" />

For more information on LdapRegistry, see the LDAP User Registry documentation.

To enable this new beta function in your app, pull the All Beta Features package and add the LDAP User Registry 3.0 feature to your server.xml file:

<featureManager>
  <feature>ldapRegistry-3.0</feature>
</featureManager>

Try it now

To try out these features, just update your build tools to pull the Open Liberty All Beta Features package instead of the main release. The beta works with Java SE 15, Java SE 11, or Java SE 8.

If you’re using Maven:

  1. Add the following dependency to your pom.xml file:

    <dependency>
      <groupId>io.openliberty.beta</groupId>
      <artifactId>openliberty-runtime</artifactId>
      <version>21.0.0.4-beta</version>
      <type>pom</type>
    </dependency>
  2. Add a dependency for the beta version of each of the APIs that you’d like to try. For example, to try MicroProfile Config 2.0:

    <dependency>
      <groupId>org.eclipse.microprofile.config</groupId>
      <artifactId>microprofile-config-api</artifactId>
      <version>2.0</version>
      <scope>provided</scope>
    </dependency>
  3. Add add the following runtimeArtifact section to the configuration section of your pom.xml file:

    <runtimeArtifact>
      <groupId>io.openliberty.beta</groupId>
      <artifactId>openliberty-runtime</artifactId>
      <version>21.0.0.4-beta</version>
      <type>zip</type>
    </runtimeArtifact>

Or for Gradle:

dependencies {
    libertyRuntime group: 'io.openliberty.beta', name: 'openliberty-runtime', version: '[21.0.0.4-beta,)'
}

Or take a look at our Downloads page.

Jakarta EE 9 Beta Features package

As of the 21.0.0.2-beta release, Open Liberty is the first vendor product to be Jakarta EE Web Profile 9.0 compatible. With the recent 21.0.0.3-beta release, Open Liberty is the first vendor product to be added to the Jakarta EE Platform 9.0 compatibility list.

This Open Liberty beta release comes complete with all of the previously released Jakarta EE9 API candidates:

  • Jakarta Messaging 3.0 (messaging-3.0, messagingClient-3.0, messagingServer-3.0, messagingSecurity-3.0)

  • Jakarta Security 2.0 (appSecurity-4.0, appSecurityClient-1.0)

  • Jakarta XML Web Services 3.0 (xmlWS-3.0)

  • Jakarta Batch 2.0 (batch-2.0)

  • Jakarta Mail (mail-2.0)

  • Jakarta WebSocket 2.0 (websocket-2.0; now with full CDI integration)

  • RESTful Web Services 3.0 (restfulWS-3.0 and restfulWSClient-3.0)

  • Jakarta Server Faces 3.0 (faces-3.0)

  • Jakarta Connectors 2.0 (connectors-2.0)

  • Jakarta Enterprise Beans 4.0 (enterpriseBeans-4.0)

  • Jakarta Enterprise Beans Remote 4.0 (enterpriseBeansRemote-4.0)

  • Jakarta Enterprise Beans Home 4.0 (enterpriseBeansHome-4.0)

  • Jakarta Enterprise Beans Lite 4.0 (enterpriseBeansLite-4.0)

  • Jakarta Enterprise Beans Persistent Timers 4.0 (enterpriseBeansPersistentTimer-4.0)

  • Jakarta EE Application Client 9.0 (jakartaeeClient-9.0)

  • Jakarta Authentication 2.0 (appAuthentication-2.0)

  • Jakarta Authorization 2.0 (appAuthorization-2.0)

  • Jakarta Persistence 3.0 (includes Eclipselink 3.0-GA.) (persistence-3.0)

  • Jakarta XML Binding 3.0 (xmlBinding-3.0)

  • Jakarta Managed Beans 2.0 (managedBeans-2.0)

  • Jakarta Concurrency 2.0 (concurrent-2.0)

  • Jakarta Bean Validation 3.0 (beanValidation-3.0)

  • Jakarta Contexts and Dependency Injection 3.0 (cdi-3.0)

  • Message-Driven Beans 4.0 (mdb-4.0)

  • JDBC 4.2 & 4.3 (jdbc-4.2 & jdbc-4.3)

  • Jakarta JSON Binding 2.0 (jsonb-2.0)

  • Jakarta JSON Processing 2.0 (jsonp-2.0)

  • Jakarta Servlet 5.0 (servlet-5.0)

  • Jakarta Server Pages 3.0 (pages-3.0)

  • Jakarta Expression Language 4.0 (expressionLanguage-4.0)

For more information about Open Liberty’s Jakarta EE 9 compatability, view our Open Liberty beta is Jakarta EE 9 compatible blog release.

Enable the Jakarta EE 9 beta features in your app’s server.xml. You can enable the individual features you want or you can just add the Jakarta EE 9 convenience feature to enable all of the Jakarta EE 9 beta features at once:

  <featureManager>
    <feature>jakartaee-9.0</feature>
  </featureManager>

Or you can add the Web Profile convenience feature to enable all of the Jakarta EE 9 Web Profile beta features at once:

  <featureManager>
    <feature>webProfile-9.0</feature>
  </featureManager>

Try it now

To try out these Jakarta EE 9 features on Open Liberty in a lightweight package, just update your build tools to pull the Open Liberty Jakarta EE 9 Beta Features package instead of the main release. The beta works with Java SE 15, Java SE 11, or Java SE 8.

If you’re using Maven, here are the coordinates:

<dependency>
    <groupId>io.openliberty.beta</groupId>
    <artifactId>openliberty-jakartaee9</artifactId>
    <version>21.0.0.4-beta</version>
    <type>zip</type>
</dependency>

Or for Gradle:

dependencies {
    libertyRuntime group: 'io.openliberty.beta', name: 'openliberty-jakartaee9', version: '[21.0.0.4-beta,)'
}

Or take a look at our Downloads page.

We welcome your feedback

Let us know what you think on our mailing list. If you hit a problem, post a question on StackOverflow. If you hit a bug, please raise an issue.

Tags