Hi Arran, On Mon, Jun 15, 2015 at 8:24 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
I got about 70% through writing the used auth/autz modifications last night, i'll try push those up today. They'll be v3.1.x only until someone tests them and verifies they work, and don't break other kerberos operations.
I thought it would be fun to test and fun it was. First I tried simple setup to authenticate users via ldap-bind using simple bind for admin searches as well. I had some crashes with v3.1 so I ran away to v3.0 where at first I got a linkage issue for which I had to add 'sasl.c' to the makefile and then I got the same first crashes. Not sure I understood it well but I managed to solve it with: diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c index 416a122..7cf8cae 100644 --- a/src/modules/rlm_ldap/ldap.c +++ b/src/modules/rlm_ldap/ldap.c @@ -717,7 +717,7 @@ ldap_rcode_t rlm_ldap_bind(rlm_ldap_t const *inst, REQUEST *request, ldap_handle num = retry ? fr_connection_get_num(inst->pool) : 0; for (i = num; i >= 0; i--) { #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND - if (sasl->mech) { + if (sasl && sasl->mech) { status = rlm_ldap_sasl_interactive(inst, request, *pconn, dn, password, sasl, &error, &extra); } else Then it worked with simple-bind for admin auth so I tried to set: mech = 'GSSAPI' And then I got auth failure which - from the wireshark traces - I think was related to 'identity' directive being set with a DN so I comment it out (along with the 'password' directive) as it should not be necessary. But I got another crash which I worked around again by: diff --git a/src/modules/rlm_ldap/sasl.c b/src/modules/rlm_ldap/sasl.c index 0e58bba..f519483 100644 --- a/src/modules/rlm_ldap/sasl.c +++ b/src/modules/rlm_ldap/sasl.c @@ -63,7 +63,7 @@ static int _sasl_interact(UNUSED LDAP *handle, UNUSED unsigned flags, void *ctx, break; case SASL_CB_USER: - cb_p->result = this->extra->proxy ? this->extra->proxy : this->identity; + cb_p->result = (this->extra && this->extra->proxy) ? this->extra->proxy : this->identity; break; case SASL_CB_GETREALM: Now it works fine with Kerberos auth for admin searches using the KRB5_CLIENT_KTNAME but the fun part is when I set: mech = 'GSS-SPNEGO' It uses spnego and when KRB5_CLIENT_KTNAME is not available it fails-over to using my NTLM system credentials and works fine (lookup gss-ntlmssp for details). Regards, Isaac B.