kerberos authentication with unboundid LDAP SDK

Question

I have been creating an authentication and authorisation service for our internal network. The service accepts incoming HTTP requests and proxies them onwards to other internal services (admin web sites mainly). To authenticate users my service uses the UnboundID SDK to connect over LDAP to our corporate Microsoft Active Directory. It then authorises users for different resources/methods in the admin web sites based on a set of rules driven by the groups to which the users belong. I have all of this working excellently using BASIC auth (with SSL and LDAPS of course). The service is written in clojure/java and running in jetty on a linux box.

But, I demand more!! :-) What I would really like to achieve is to perform user authentication using Kerberos (or perhaps NTLM) as many of our users will be on Windows PCs connected to the corporate domain. I'd like to provide these users with a proper single sign-on experience.

Is this possible by just more coding/integration with the UnboundID SDK or do I need to change the way my architecture is set up?

If it is possible, can you suggest any examples of how I might go about doing it? Or provide pointers on how to use the UnboundID SDK in this instance? I could also do with a tiny bit of help on the right headers to send during the negotiation process. If not, what would you suggest in terms of a different approach? Given the reading around that I've been doing I have a feeling that what I want to do may not be easy or even possible.

Answer 1

I've been looking for the same recently and even though I haven't tried it yet but it really does look like that. GSSAPIBindRequest is said to be used for Kerberos support as well as it has the code sample how to use it:

https://docs.ldap.com/ldap-sdk/docs/javadoc/com/unboundid/ldap/sdk/GSSAPIBindRequest.html