一、背景

亲测可用,之前搜索了很多博客，啥样的都有，就是不介绍报错以及配置用处，根本不懂照抄那些配置是干啥的，稀里糊涂的按照博客搭完也跑不起来，因此记录这个。

项目背景：公司项目当前采用http协议+shiro+mysql的登录认证方式，而现在想支持ldap协议认证登录然后能够访问自己公司的项目网站。

举例说明：假设我们公司有自己的门户网站，现在我们收购了一家公司，他们数据库采用ldap存储用户数据，那么为了他们账户能登陆我们公司项目所以需要集成，而不是再把他们的账户重新在mysql再创建一遍，万一人家有1W个账户呢，不累死了且也不现实啊。

需要安装openldap+kerberos，且ldap和kerberos安装在同一台服务器上，当前版本如下：

• centos 7.9
• openldap 2.4.44
• phpldapadmin 1.2.5
• 服务器IP：10.110.38.162
• Kerberos ：Kerberos 5 release 1.15.1

另外介绍下我的Spring各个版本：

• Spring Security：4.2.3.RELEASE
• Spring Version：4.3.9.RELEASE
• SpringBoot Version：1.4.7.RELEASE

注意点1：我之所以选这么旧的版本，是因为我最后要在自己项目集成，我们项目就是上面版本附近的，所以不能选太高版本，这点请注意各版本之间的兼容性问题。
详情可看这篇博客介绍兼容版本：https://zhuanlan.zhihu.com/p/652895555

注意点2：如果里面的某些配置不知道在哪或者不知道干啥的，可以看我的前面的博客，详细介绍了安装配置等，可以大致了解参数。

目前网上相关文章很少，而且好多博客都是未认证就发布的所以一堆问题，跑不起来，如下是我参考的博客

• Spring Security Kerberos - Reference Documentation
• MIT Kerberos Documentation
• https://www.openldap.org/
• Authentication Protocols: LDAP vs Kerberos vs OAuth2 vs SAML vs RADIUS

二、报错

完整错误

        [Krb5LoginModule] authentication failed 
null (68)
    [LoginContext]: login REQUIRED failure
    [LoginContext]: abort ignored
javax.security.auth.login.LoginException: null (68)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
    at com.example.ldaptest2.KerberosTest.authenticateUser2(KerberosTest.java:58)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:59)
    at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
    at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:56)
    at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
    at org.springframework.test.context.junit4.statements.RunBeforeTestMethodCallbacks.evaluate(RunBeforeTestMethodCallbacks.java:75)
    at org.springframework.test.context.junit4.statements.RunAfterTestMethodCallbacks.evaluate(RunAfterTestMethodCallbacks.java:86)
    at org.springframework.test.context.junit4.statements.SpringRepeat.evaluate(SpringRepeat.java:84)
    at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
    at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:252)
    at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:94)
    at org.junit.runners.ParentRunner$4.run(ParentRunner.java:331)
    at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:79)
    at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329)
    at org.junit.runners.ParentRunner.access$100(ParentRunner.java:66)
    at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:293)
    at org.springframework.test.context.junit4.statements.RunBeforeTestClassCallbacks.evaluate(RunBeforeTestClassCallbacks.java:61)
    at org.springframework.test.context.junit4.statements.RunAfterTestClassCallbacks.evaluate(RunAfterTestClassCallbacks.java:70)
    at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
    at org.junit.runners.ParentRunner.run(ParentRunner.java:413)
    at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.run(SpringJUnit4ClassRunner.java:191)
    at org.junit.runner.JUnitCore.run(JUnitCore.java:137)
    at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:69)
    at com.intellij.rt.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:33)
    at com.intellij.rt.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:220)
    at com.intellij.rt.junit.JUnitStarter.main(JUnitStarter.java:53)
Caused by: KrbException: null (68)
    at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
    at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
    at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:776)
    ... 42 more
Caused by: KrbException: Identifier doesn't match expected value (906)
    at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
    at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
    at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
    at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
    ... 45 more
2024-06-14 16:44:15.708  INFO 18160 --- [       Thread-1] o.s.w.c.s.GenericWebApplicationContext   : Closing org.springframework.web.context.support.GenericWebApplicationContext@18025ced: startup date [Fri Jun 14 16:44:04 CST 2024]; root of context hierarchy
Disconnected from the target VM, address: '127.0.0.1:12344', transport: 'socket'
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing

Process finished with exit code 0

错误原因1：keytab过期了

举例验证

[root@localhost ~]# ls -l /etc/openldap/ldap.keytab
-rwxrwxrwx 1 ldap ldap 1058 6月  14 02:22 /etc/openldap/ldap.keytab
[root@localhost ~]#  等待输入超时：自动登出

解决方案：重新生成keytab就行

错误原因2：本地和服务器时间不一致
解决方案：同步时间

本人其他相关文章链接

1.Centos7.9安装openldap
2.Centos7.9安装kerberos
3.Openldap集成Kerberos
4.Centos7.9安装phpldapadmin
5.java连接ldap实现用户查询功能
6.java连接kerberos用户认证
7.javax.security.auth.login.LoginException: Unable to obtain password from user
8.javax.security.auth.login.LoginException: null (68)
9.javax.security.auth.login.LoginException: Message stream modified (41)
10.javax.security.auth.login.LoginException: Checksum failed
11.javax.security.auth.login.LoginException: No CallbackHandler available to garner authentication info
12.javax.security.auth.login.LoginException: Cannot locate KDC
13.javax.security.auth.login.LoginException: Receive timed out
14.java: 无法访问org.springframework.context.ConfigurableApplicationContext
15.LDAP: error code 34 - invalid DN
16.LDAP: error code 32 - No Such Object
17.java: 无法访问org.springframework.ldap.core.LdapTemplate