So you want to...

Access ldap.stanford.edu from a Java program

References

JNDI Tutorial
JNDI javadocs
javadocs for pluggable authentication framework
JAAS
LDAP error codes
Attributes of People Tree

Anonymous Binding

So easy! So fast!
So limited :-(
Example

scriptorium:~/WWW/ldap-examples> java SearchRetAll
suRegID=4960c2b4e76511d189e72436000baa77
  displayName
    Kristen A Murray


suRegID=5c0c2c46e75b11d1bb522436000baa77
  mail
    kmurray@stanford.edu

  displayName
    Kathy Murray


suRegID=871bfe80f61311d2ae660800209269ec
  mail
    kjmurray@stanford.edu

  displayName
    Katherine Janice Murray

Adding Authentication

Requiring K5 Login

The javax.security.auth.login API supports a bewildering variety of configurations. Most of the time, we only care about the default implementation of Configuration. For authenticating to ldap.stanford.edu, we care about only one kind of LoginModule, a Krb5LoginModule

Distilling this great pile of information and options down to just what we need...

Provide a value for java.security.auth.login.config
For example, adding something like this to the java command line does the trick
-Djava.security.auth.login.config=loginconf

Provide a file (loginconf) that looks like this

MyAppName {
com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true debug=true keyTab="/apps/workgroup-audit/keytab/keytab.workgroup-audit" doNotPrompt=true storeKey=true principal="service/workgroup-audit@stanford.edu" useTicketCache=true
;
};

Details on the format can be found here

Specify java.security.krb5.conf


-Djava.security.krb5.conf=/etc/leland/krb5/conf

Specify javax.security.sasl.qop
-Djavax.security.sasl.qop=auth-conf
Details

What Happens to the Example Now?

Nothing changed! Why not?
It is because we have not changed our code at all to authenticate.
In our code, we need to

establish a LoginContext
login
"assume the identity of the authenticated principal"
Translation: Write a class that implements PrivilegedAction, and use Subject.doAs(Subject, PrivilegedAction)

Let's Fix It

Fixed-up Example

output (edited a bit)

regapp3:/afs/ir/users/k/a/kam/WWW/ldap-examples# java -Djava.security.auth.login.config=auth_system_krb.conf -Djava.security.krb5.conf=/etc/leland/krb5.conf -Djavax.security.sasl.qop=auth-conf SearchRequiringAuth

suRegID=4960c2b4e76511d189e72436000baa77
  mail
    Kristen.Murray@stanford.edu

  displayName
    Kristen A Murray

  description
    Information Technology Systems and Services, software developer

Gotchas

DirContext is not thread-safe
more...
Re-trying the login
What happens when one of the servers in the load-balanced pool is removed?
Peculiar error messages This might help
ACL Issues