1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20 package org.apache.directory.server.kerberos;
21
22
23 import java.util.HashSet;
24 import java.util.Set;
25
26 import javax.security.auth.kerberos.KerberosPrincipal;
27
28 import org.apache.directory.server.constants.ServerDNConstants;
29 import org.apache.directory.shared.kerberos.KerberosUtils;
30 import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
31 import org.apache.directory.shared.kerberos.codec.types.PrincipalNameType;
32
33
34
35
36
37 public class KerberosConfig
38 {
39
40
41 public static final String DEFAULT_PRINCIPAL = "krbtgt/EXAMPLE.COM@EXAMPLE.COM";
42
43
44 public static final String DEFAULT_REALM = "EXAMPLE.COM";
45
46
47 public static final long DEFAULT_ALLOWABLE_CLOCKSKEW = 5L * 60000L;
48
49
50 public static final boolean DEFAULT_EMPTY_ADDRESSES_ALLOWED = true;
51
52
53 public static final boolean DEFAULT_PA_ENC_TIMESTAMP_REQUIRED = true;
54
55
56 public static final int DEFAULT_TGS_MAXIMUM_TICKET_LIFETIME = 60000 * 1440;
57
58
59 public static final int DEFAULT_TGS_MINIMUM_TICKET_LIFETIME = 60000 * 4;
60
61
62 public static final int DEFAULT_TGS_MAXIMUM_RENEWABLE_LIFETIME = 60000 * 10080;
63
64
65 public static final boolean DEFAULT_TGS_FORWARDABLE_ALLOWED = true;
66
67
68 public static final boolean DEFAULT_TGS_PROXIABLE_ALLOWED = true;
69
70
71 public static final boolean DEFAULT_TGS_POSTDATED_ALLOWED = true;
72
73
74 public static final boolean DEFAULT_TGS_RENEWABLE_ALLOWED = true;
75
76
77 public static final boolean DEFAULT_VERIFY_BODY_CHECKSUM = true;
78
79
80 public static final String[] DEFAULT_ENCRYPTION_TYPES = new String[]
81 { "aes128-cts-hmac-sha1-96", "des-cbc-md5", "des3-cbc-sha1-kd" };
82
83
84 private String primaryRealm = KerberosConfig.DEFAULT_REALM;
85
86
87 private String servicePrincipal = KerberosConfig.DEFAULT_PRINCIPAL;
88
89
90 private long allowableClockSkew = KerberosConfig.DEFAULT_ALLOWABLE_CLOCKSKEW;
91
92
93 private boolean isPaEncTimestampRequired = KerberosConfig.DEFAULT_PA_ENC_TIMESTAMP_REQUIRED;
94
95
96 private long maximumTicketLifetime = KerberosConfig.DEFAULT_TGS_MAXIMUM_TICKET_LIFETIME;
97
98
99 private long minimumTicketLifetime = KerberosConfig.DEFAULT_TGS_MINIMUM_TICKET_LIFETIME;
100
101
102 private long maximumRenewableLifetime = KerberosConfig.DEFAULT_TGS_MAXIMUM_RENEWABLE_LIFETIME;
103
104
105 private boolean isEmptyAddressesAllowed = KerberosConfig.DEFAULT_EMPTY_ADDRESSES_ALLOWED;
106
107
108 private boolean isForwardableAllowed = KerberosConfig.DEFAULT_TGS_FORWARDABLE_ALLOWED;
109
110
111 private boolean isProxiableAllowed = KerberosConfig.DEFAULT_TGS_PROXIABLE_ALLOWED;
112
113
114 private boolean isPostdatedAllowed = KerberosConfig.DEFAULT_TGS_POSTDATED_ALLOWED;
115
116
117 private boolean isRenewableAllowed = KerberosConfig.DEFAULT_TGS_RENEWABLE_ALLOWED;
118
119
120 private boolean isBodyChecksumVerified = KerberosConfig.DEFAULT_VERIFY_BODY_CHECKSUM;
121
122
123 private Set<EncryptionType> encryptionTypes;
124
125
126 private KerberosPrincipal srvPrincipal;
127
128 private String searchBaseDn;
129
130
131 public KerberosConfig()
132 {
133 setSearchBaseDn( ServerDNConstants.USER_EXAMPLE_COM_DN );
134 prepareEncryptionTypes();
135 }
136
137
138
139
140
141
142
143 public long getAllowableClockSkew()
144 {
145 return allowableClockSkew;
146 }
147
148
149
150
151
152 public boolean isEmptyAddressesAllowed()
153 {
154 return isEmptyAddressesAllowed;
155 }
156
157
158
159
160
161 public boolean isForwardableAllowed()
162 {
163 return isForwardableAllowed;
164 }
165
166
167
168
169
170 public boolean isPostdatedAllowed()
171 {
172 return isPostdatedAllowed;
173 }
174
175
176
177
178
179 public boolean isProxiableAllowed()
180 {
181 return isProxiableAllowed;
182 }
183
184
185
186
187
188 public boolean isRenewableAllowed()
189 {
190 return isRenewableAllowed;
191 }
192
193
194
195
196
197 public long getMaximumRenewableLifetime()
198 {
199 return maximumRenewableLifetime;
200 }
201
202
203
204
205
206 public long getMaximumTicketLifetime()
207 {
208 return maximumTicketLifetime;
209 }
210
211
212
213
214
215 public void setAllowableClockSkew( long allowableClockSkew )
216 {
217 this.allowableClockSkew = allowableClockSkew;
218 }
219
220
221
222
223
224
225
226 public void setEncryptionTypes( EncryptionType[] encryptionTypes )
227 {
228 if ( encryptionTypes != null )
229 {
230 this.encryptionTypes.clear();
231
232 for ( EncryptionType encryptionType : encryptionTypes )
233 {
234 this.encryptionTypes.add( encryptionType );
235 }
236 }
237
238 this.encryptionTypes = KerberosUtils.orderEtypesByStrength( this.encryptionTypes );
239 }
240
241
242
243
244
245
246
247 public void setEncryptionTypes( Set<EncryptionType> encryptionTypes )
248 {
249 this.encryptionTypes = KerberosUtils.orderEtypesByStrength( encryptionTypes );
250 }
251
252
253
254
255
256 public void setEmptyAddressesAllowed( boolean isEmptyAddressesAllowed )
257 {
258 this.isEmptyAddressesAllowed = isEmptyAddressesAllowed;
259 }
260
261
262
263
264
265 public void setForwardableAllowed( boolean isForwardableAllowed )
266 {
267 this.isForwardableAllowed = isForwardableAllowed;
268 }
269
270
271
272
273
274 public void setPaEncTimestampRequired( boolean isPaEncTimestampRequired )
275 {
276 this.isPaEncTimestampRequired = isPaEncTimestampRequired;
277 }
278
279
280
281
282
283 public void setPostdatedAllowed( boolean isPostdatedAllowed )
284 {
285 this.isPostdatedAllowed = isPostdatedAllowed;
286 }
287
288
289
290
291
292 public void setProxiableAllowed( boolean isProxiableAllowed )
293 {
294 this.isProxiableAllowed = isProxiableAllowed;
295 }
296
297
298
299
300
301 public void setRenewableAllowed( boolean isRenewableAllowed )
302 {
303 this.isRenewableAllowed = isRenewableAllowed;
304 }
305
306
307
308
309
310 public void setServicePrincipal( String kdcPrincipal )
311 {
312 this.servicePrincipal = kdcPrincipal;
313 }
314
315
316
317
318
319 public void setMaximumRenewableLifetime( long maximumRenewableLifetime )
320 {
321 this.maximumRenewableLifetime = maximumRenewableLifetime;
322 }
323
324
325
326
327
328 public void setMaximumTicketLifetime( long maximumTicketLifetime )
329 {
330 this.maximumTicketLifetime = maximumTicketLifetime;
331 }
332
333
334
335
336
337 public void setPrimaryRealm( String primaryRealm )
338 {
339 this.primaryRealm = primaryRealm;
340 }
341
342
343
344
345
346
347
348 public String getPrimaryRealm()
349 {
350 return primaryRealm;
351 }
352
353
354
355
356
357
358
359 public KerberosPrincipal getServicePrincipal()
360 {
361 if ( srvPrincipal == null )
362 {
363 srvPrincipal = new KerberosPrincipal( servicePrincipal, PrincipalNameType.KRB_NT_SRV_INST.getValue() );
364 }
365
366 return srvPrincipal;
367 }
368
369
370
371
372
373
374
375 public Set<EncryptionType> getEncryptionTypes()
376 {
377 return encryptionTypes;
378 }
379
380
381
382
383
384
385
386 public boolean isPaEncTimestampRequired()
387 {
388 return isPaEncTimestampRequired;
389 }
390
391
392
393
394
395 public boolean isBodyChecksumVerified()
396 {
397 return isBodyChecksumVerified;
398 }
399
400
401
402
403
404 public void setBodyChecksumVerified( boolean isBodyChecksumVerified )
405 {
406 this.isBodyChecksumVerified = isBodyChecksumVerified;
407 }
408
409
410 public String getSearchBaseDn()
411 {
412 return searchBaseDn;
413 }
414
415
416 public void setSearchBaseDn( String searchBaseDn )
417 {
418 this.searchBaseDn = searchBaseDn;
419 }
420
421
422 public long getMinimumTicketLifetime()
423 {
424 return minimumTicketLifetime;
425 }
426
427
428 public void setMinimumTicketLifetime( long minimumTicketLifetime )
429 {
430 this.minimumTicketLifetime = minimumTicketLifetime;
431 }
432
433
434
435
436
437 private void prepareEncryptionTypes()
438 {
439 String[] encryptionTypeStrings = KerberosConfig.DEFAULT_ENCRYPTION_TYPES;
440
441 encryptionTypes = new HashSet<>();
442
443 for ( String enc : encryptionTypeStrings )
444 {
445 for ( EncryptionType type : EncryptionType.getEncryptionTypes() )
446 {
447 if ( type.getName().equalsIgnoreCase( enc ) )
448 {
449 encryptionTypes.add( type );
450 }
451 }
452 }
453
454 encryptionTypes = KerberosUtils.orderEtypesByStrength( encryptionTypes );
455 }
456 }