001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, 013 * software distributed under the License is distributed on an 014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 015 * KIND, either express or implied. See the License for the 016 * specific language governing permissions and limitations 017 * under the License. 018 * 019 */ 020package org.apache.directory.server.kerberos; 021 022 023import java.util.HashSet; 024import java.util.Set; 025 026import javax.security.auth.kerberos.KerberosPrincipal; 027 028import org.apache.directory.server.constants.ServerDNConstants; 029import org.apache.directory.shared.kerberos.KerberosUtils; 030import org.apache.directory.shared.kerberos.codec.types.EncryptionType; 031import org.apache.directory.shared.kerberos.codec.types.PrincipalNameType; 032 033 034/** 035 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a> 036 */ 037public class KerberosConfig 038{ 039 040 /** The default kdc service principal */ 041 public static final String DEFAULT_PRINCIPAL = "krbtgt/EXAMPLE.COM@EXAMPLE.COM"; 042 043 /** The default kdc realm */ 044 public static final String DEFAULT_REALM = "EXAMPLE.COM"; 045 046 /** The default allowable clockskew */ 047 public static final long DEFAULT_ALLOWABLE_CLOCKSKEW = 5L * 60000L; 048 049 /** The default for allowing empty addresses */ 050 public static final boolean DEFAULT_EMPTY_ADDRESSES_ALLOWED = true; 051 052 /** The default for requiring encrypted timestamps */ 053 public static final boolean DEFAULT_PA_ENC_TIMESTAMP_REQUIRED = true; 054 055 /** The default for the maximum ticket lifetime */ 056 public static final int DEFAULT_TGS_MAXIMUM_TICKET_LIFETIME = 60000 * 1440; 057 058 /** The default for the minimum ticket lifetime, 4 minutes */ 059 public static final int DEFAULT_TGS_MINIMUM_TICKET_LIFETIME = 60000 * 4; 060 061 /** The default for the maximum renewable lifetime */ 062 public static final int DEFAULT_TGS_MAXIMUM_RENEWABLE_LIFETIME = 60000 * 10080; 063 064 /** The default for allowing forwardable tickets */ 065 public static final boolean DEFAULT_TGS_FORWARDABLE_ALLOWED = true; 066 067 /** The default for allowing proxiable tickets */ 068 public static final boolean DEFAULT_TGS_PROXIABLE_ALLOWED = true; 069 070 /** The default for allowing postdated tickets */ 071 public static final boolean DEFAULT_TGS_POSTDATED_ALLOWED = true; 072 073 /** The default for allowing renewable tickets */ 074 public static final boolean DEFAULT_TGS_RENEWABLE_ALLOWED = true; 075 076 /** The default for verifying the body checksum */ 077 public static final boolean DEFAULT_VERIFY_BODY_CHECKSUM = true; 078 079 /** The default encryption types */ 080 public static final String[] DEFAULT_ENCRYPTION_TYPES = new String[] 081 { "aes128-cts-hmac-sha1-96", "des-cbc-md5", "des3-cbc-sha1-kd" }; 082 083 /** The primary realm */ 084 private String primaryRealm = KerberosConfig.DEFAULT_REALM; 085 086 /** The service principal name. */ 087 private String servicePrincipal = KerberosConfig.DEFAULT_PRINCIPAL; 088 089 /** The allowable clock skew. */ 090 private long allowableClockSkew = KerberosConfig.DEFAULT_ALLOWABLE_CLOCKSKEW; 091 092 /** Whether pre-authentication by encrypted timestamp is required. */ 093 private boolean isPaEncTimestampRequired = KerberosConfig.DEFAULT_PA_ENC_TIMESTAMP_REQUIRED; 094 095 /** The maximum ticket lifetime. */ 096 private long maximumTicketLifetime = KerberosConfig.DEFAULT_TGS_MAXIMUM_TICKET_LIFETIME; 097 098 /** The minimum ticket lifetime. */ 099 private long minimumTicketLifetime = KerberosConfig.DEFAULT_TGS_MINIMUM_TICKET_LIFETIME; 100 101 /** The maximum renewable lifetime. */ 102 private long maximumRenewableLifetime = KerberosConfig.DEFAULT_TGS_MAXIMUM_RENEWABLE_LIFETIME; 103 104 /** Whether empty addresses are allowed. */ 105 private boolean isEmptyAddressesAllowed = KerberosConfig.DEFAULT_EMPTY_ADDRESSES_ALLOWED; 106 107 /** Whether forwardable addresses are allowed. */ 108 private boolean isForwardableAllowed = KerberosConfig.DEFAULT_TGS_FORWARDABLE_ALLOWED; 109 110 /** Whether proxiable addresses are allowed. */ 111 private boolean isProxiableAllowed = KerberosConfig.DEFAULT_TGS_PROXIABLE_ALLOWED; 112 113 /** Whether postdated tickets are allowed. */ 114 private boolean isPostdatedAllowed = KerberosConfig.DEFAULT_TGS_POSTDATED_ALLOWED; 115 116 /** Whether renewable tickets are allowed. */ 117 private boolean isRenewableAllowed = KerberosConfig.DEFAULT_TGS_RENEWABLE_ALLOWED; 118 119 /** Whether to verify the body checksum. */ 120 private boolean isBodyChecksumVerified = KerberosConfig.DEFAULT_VERIFY_BODY_CHECKSUM; 121 122 /** The encryption types. */ 123 private Set<EncryptionType> encryptionTypes; 124 125 /* cached kerberos/changepassword service principal */ 126 private KerberosPrincipal srvPrincipal; 127 128 private String searchBaseDn; 129 130 131 public KerberosConfig() 132 { 133 setSearchBaseDn( ServerDNConstants.USER_EXAMPLE_COM_DN ); 134 prepareEncryptionTypes(); 135 } 136 137 138 /** 139 * Returns the allowable clock skew. 140 * 141 * @return The allowable clock skew. 142 */ 143 public long getAllowableClockSkew() 144 { 145 return allowableClockSkew; 146 } 147 148 149 /** 150 * @return the isEmptyAddressesAllowed 151 */ 152 public boolean isEmptyAddressesAllowed() 153 { 154 return isEmptyAddressesAllowed; 155 } 156 157 158 /** 159 * @return the isForwardableAllowed 160 */ 161 public boolean isForwardableAllowed() 162 { 163 return isForwardableAllowed; 164 } 165 166 167 /** 168 * @return the isPostdatedAllowed 169 */ 170 public boolean isPostdatedAllowed() 171 { 172 return isPostdatedAllowed; 173 } 174 175 176 /** 177 * @return the isProxiableAllowed 178 */ 179 public boolean isProxiableAllowed() 180 { 181 return isProxiableAllowed; 182 } 183 184 185 /** 186 * @return the isRenewableAllowed 187 */ 188 public boolean isRenewableAllowed() 189 { 190 return isRenewableAllowed; 191 } 192 193 194 /** 195 * @return the maximumRenewableLifetime 196 */ 197 public long getMaximumRenewableLifetime() 198 { 199 return maximumRenewableLifetime; 200 } 201 202 203 /** 204 * @return the maximumTicketLifetime 205 */ 206 public long getMaximumTicketLifetime() 207 { 208 return maximumTicketLifetime; 209 } 210 211 212 /** 213 * @param allowableClockSkew the allowableClockSkew to set 214 */ 215 public void setAllowableClockSkew( long allowableClockSkew ) 216 { 217 this.allowableClockSkew = allowableClockSkew; 218 } 219 220 221 /** 222 * Initialize the encryptionTypes set 223 * 224 * @param encryptionTypes the encryptionTypes to set 225 */ 226 public void setEncryptionTypes( EncryptionType[] encryptionTypes ) 227 { 228 if ( encryptionTypes != null ) 229 { 230 this.encryptionTypes.clear(); 231 232 for ( EncryptionType encryptionType : encryptionTypes ) 233 { 234 this.encryptionTypes.add( encryptionType ); 235 } 236 } 237 238 this.encryptionTypes = KerberosUtils.orderEtypesByStrength( this.encryptionTypes ); 239 } 240 241 242 /** 243 * Initialize the encryptionTypes set 244 * 245 * @param encryptionTypes the encryptionTypes to set 246 */ 247 public void setEncryptionTypes( Set<EncryptionType> encryptionTypes ) 248 { 249 this.encryptionTypes = KerberosUtils.orderEtypesByStrength( encryptionTypes ); 250 } 251 252 253 /** 254 * @param isEmptyAddressesAllowed the isEmptyAddressesAllowed to set 255 */ 256 public void setEmptyAddressesAllowed( boolean isEmptyAddressesAllowed ) 257 { 258 this.isEmptyAddressesAllowed = isEmptyAddressesAllowed; 259 } 260 261 262 /** 263 * @param isForwardableAllowed the isForwardableAllowed to set 264 */ 265 public void setForwardableAllowed( boolean isForwardableAllowed ) 266 { 267 this.isForwardableAllowed = isForwardableAllowed; 268 } 269 270 271 /** 272 * @param isPaEncTimestampRequired the isPaEncTimestampRequired to set 273 */ 274 public void setPaEncTimestampRequired( boolean isPaEncTimestampRequired ) 275 { 276 this.isPaEncTimestampRequired = isPaEncTimestampRequired; 277 } 278 279 280 /** 281 * @param isPostdatedAllowed the isPostdatedAllowed to set 282 */ 283 public void setPostdatedAllowed( boolean isPostdatedAllowed ) 284 { 285 this.isPostdatedAllowed = isPostdatedAllowed; 286 } 287 288 289 /** 290 * @param isProxiableAllowed the isProxiableAllowed to set 291 */ 292 public void setProxiableAllowed( boolean isProxiableAllowed ) 293 { 294 this.isProxiableAllowed = isProxiableAllowed; 295 } 296 297 298 /** 299 * @param isRenewableAllowed the isRenewableAllowed to set 300 */ 301 public void setRenewableAllowed( boolean isRenewableAllowed ) 302 { 303 this.isRenewableAllowed = isRenewableAllowed; 304 } 305 306 307 /** 308 * @param kdcPrincipal the kdcPrincipal to set 309 */ 310 public void setServicePrincipal( String kdcPrincipal ) 311 { 312 this.servicePrincipal = kdcPrincipal; 313 } 314 315 316 /** 317 * @param maximumRenewableLifetime the maximumRenewableLifetime to set 318 */ 319 public void setMaximumRenewableLifetime( long maximumRenewableLifetime ) 320 { 321 this.maximumRenewableLifetime = maximumRenewableLifetime; 322 } 323 324 325 /** 326 * @param maximumTicketLifetime the maximumTicketLifetime to set 327 */ 328 public void setMaximumTicketLifetime( long maximumTicketLifetime ) 329 { 330 this.maximumTicketLifetime = maximumTicketLifetime; 331 } 332 333 334 /** 335 * @param primaryRealm the primaryRealm to set 336 */ 337 public void setPrimaryRealm( String primaryRealm ) 338 { 339 this.primaryRealm = primaryRealm; 340 } 341 342 343 /** 344 * Returns the primary realm. 345 * 346 * @return The primary realm. 347 */ 348 public String getPrimaryRealm() 349 { 350 return primaryRealm; 351 } 352 353 354 /** 355 * Returns the service principal for this KDC/changepwd service. 356 * 357 * @return The service principal for this KDC/changepwd service. 358 */ 359 public KerberosPrincipal getServicePrincipal() 360 { 361 if ( srvPrincipal == null ) 362 { 363 srvPrincipal = new KerberosPrincipal( servicePrincipal, PrincipalNameType.KRB_NT_SRV_INST.getValue() ); 364 } 365 366 return srvPrincipal; 367 } 368 369 370 /** 371 * Returns the encryption types. 372 * 373 * @return The encryption types. 374 */ 375 public Set<EncryptionType> getEncryptionTypes() 376 { 377 return encryptionTypes; 378 } 379 380 381 /** 382 * Returns whether pre-authentication by encrypted timestamp is required. 383 * 384 * @return Whether pre-authentication by encrypted timestamp is required. 385 */ 386 public boolean isPaEncTimestampRequired() 387 { 388 return isPaEncTimestampRequired; 389 } 390 391 392 /** 393 * @return the isBodyChecksumVerified 394 */ 395 public boolean isBodyChecksumVerified() 396 { 397 return isBodyChecksumVerified; 398 } 399 400 401 /** 402 * @param isBodyChecksumVerified the isBodyChecksumVerified to set 403 */ 404 public void setBodyChecksumVerified( boolean isBodyChecksumVerified ) 405 { 406 this.isBodyChecksumVerified = isBodyChecksumVerified; 407 } 408 409 410 public String getSearchBaseDn() 411 { 412 return searchBaseDn; 413 } 414 415 416 public void setSearchBaseDn( String searchBaseDn ) 417 { 418 this.searchBaseDn = searchBaseDn; 419 } 420 421 422 public long getMinimumTicketLifetime() 423 { 424 return minimumTicketLifetime; 425 } 426 427 428 public void setMinimumTicketLifetime( long minimumTicketLifetime ) 429 { 430 this.minimumTicketLifetime = minimumTicketLifetime; 431 } 432 433 434 /** 435 * Construct an HashSet containing the default encryption types 436 */ 437 private void prepareEncryptionTypes() 438 { 439 String[] encryptionTypeStrings = KerberosConfig.DEFAULT_ENCRYPTION_TYPES; 440 441 encryptionTypes = new HashSet<>(); 442 443 for ( String enc : encryptionTypeStrings ) 444 { 445 for ( EncryptionType type : EncryptionType.getEncryptionTypes() ) 446 { 447 if ( type.getName().equalsIgnoreCase( enc ) ) 448 { 449 encryptionTypes.add( type ); 450 } 451 } 452 } 453 454 encryptionTypes = KerberosUtils.orderEtypesByStrength( encryptionTypes ); 455 } 456}