and the PrivilegedAction!
The Calypso Admin application is progressing well. I’m now able to modify all of the LDAP data for users (except the picture, that can wait for later). This is all done via credentials provided at login and stored in a LoginContext. PrivelegedActions are then performed as the authenticated subject.
eg:

Subject currentSubject = CalypsoadminApp.userContext.getSubject();
PrivilegedAction currentGetUser = new getUser(currentuser.getUid());
NamingEnumeration neUser = (NamingEnumeration)Subject.doAsPrivileged(currentSubject, currentGetUser, null);


What’s even more amazing is how well the people at JCraft have implemented LoginContexts in their native java ssh client. This will let me create a new context as [user]/admin, and run ssh commands like kadmin as that kerberos user with nothing more than:

session.setConfig("userauth.gssapi-with-mic", "com.jcraft.jsch.UserAuthGSSAPIWithMIC");

when run as a PrivilegedAction!