How to change kerberos passwords in Java

I have to admin kerberos users directly in Java (J2EE web-app). How can I do the equivalent to kpasswd (or kadmin) command with/without extra lib? I found a few commercial APIs but they are very expensive...

Than开发者_StackOverflow社区k you for your help

The Kerberos Change Password protocol has been implemented in ApacheDS http://directory.apache.org/.

« Besides LDAP it supports Kerberos 5 and the Change Password Protocol. »

It's in Java, Open Source and Free as in beer.

Can you just invoke kpasswd from your application?

String cmd = "kpasswd -principal foo -passwd bar";
Runtime rt = Runtime.getRuntime();
Process pr = rt.exec(cmd);
pr.waitFor();
BufferedReader r = new BufferedReader(new InputStreamReader(pr.getInputStream()));
String line = "";
while ((line=r.readLine()) != null) {
  // TODO process response
}
r.close();

Using ApacheDS - Maven:

<dependency>
    <groupId>org.apache.directory.server</groupId>
    <artifactId>kerberos-client</artifactId>
    <version>2.0.0-M21</version>
</dependency>

Java:

KdcConfig config = KdcConfig.getDefaultConfig();
config.setHostName("ldap.server.cz");
config.setUseUdp(false);

Set<EncryptionType> enct = new HashSet<EncryptionType>();
enct.add(EncryptionType.AES256_CTS_HMAC_SHA1_96);
config.setEncryptionTypes(enct);

KdcConnection conn = new KdcConnection(config);
ChangePasswordResult res = conn.changePassword(userPrincipal, userPassword, "NewPassword");
if (res.getCode().compareTo(ChangePasswordResultCode.KRB5_KPASSWD_SUCCESS) == 0) {
    System.out.println("Password was changed!");
} else {
    System.out.println("Password change error - " + res.getCode().name());
}

You have to allow port 464 (tcp or udp, depends on what protocol you use).

Problem is that this returns me KRB5_KPASSWD_MALFORMED all the time :( Error codes description - https://www.ietf.org/proceedings/50/I-D/cat-kerberos-set-passwd-04.txt .