ldapsdk icon indicating copy to clipboard operation
ldapsdk copied to clipboard
verified publisher icon pingidentity

How to use LdapSdk to delegate existing kerberos ticket to LdapConnection bind?

Open gredwhite opened this issue 10 months ago • 7 comments

I have the following architecture:

  • Samba(AD)
  • Web App (it sends requests to Samba) which is spring boot 3 application
  • Client

Client sends Kerberos ticket to web application and SpnegoAuthenticationProcessingFilter can handle it.

I've read about AD feature called Unconstrained delegation

Unconstrained delegation is a feature in Active Directory that allows a computer, service, or user to impersonate any other user and access resources on their behalf across the entire network, completely unrestricted.

And I need exactly that. I want user which login initially

  • Send requests to webapp with kerberos ticket
  • Webapp takes kerberos ticket and create LdapConnection( using existing kerberos ticket to make a bind).

I see the class GSSAPIBindRequest: https://docs.ldap.com/ldap-sdk/docs/javadoc/com/unboundid/ldap/sdk/GSSAPIBindRequest.html

But in example it uses username and password.

So my question is: Is there way to delegate existing ticket to LdapConnection ?

gredwhite avatar Mar 24 '25 18:03 gredwhite