On 15 Jun 2015, at 21:07, Isaac Boukris <iboukris@gmail.com> wrote:
Hi Arran,
On Mon, Jun 15, 2015 at 8:24 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
I got about 70% through writing the used auth/autz modifications last night, i'll try push those up today. They'll be v3.1.x only until someone tests them and verifies they work, and don't break other kerberos operations.
I thought it would be fun to test and fun it was.
First I tried simple setup to authenticate users via ldap-bind using simple bind for admin searches as well. I had some crashes with v3.1 so I ran away to v3.0 where at first I got a linkage issue for which I had to add 'sasl.c' to the makefile and then I got the same first crashes.
Ah, sorry about that. It was only previously tested with EXTERNAL and was waiting for further tests. Another guy was complaining about the non-interactive version not being useful, so I backported it, a little too hastily apparently.
Not sure I understood it well but I managed to solve it with:
diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c index 416a122..7cf8cae 100644 --- a/src/modules/rlm_ldap/ldap.c +++ b/src/modules/rlm_ldap/ldap.c @@ -717,7 +717,7 @@ ldap_rcode_t rlm_ldap_bind(rlm_ldap_t const *inst, REQUEST *request, ldap_handle num = retry ? fr_connection_get_num(inst->pool) : 0; for (i = num; i >= 0; i--) { #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND - if (sasl->mech) { + if (sasl && sasl->mech) {
That's the correct fix.
Then it worked with simple-bind for admin auth so I tried to set: mech = 'GSSAPI' And then I got auth failure which - from the wireshark traces - I think was related to 'identity' directive being set with a DN so I comment it out (along with the 'password' directive) as it should not be necessary.
Well you control the value sent in identity. So if it was a DN that's what you had in the config file... I hope?
But I got another crash which I worked around again by:
diff --git a/src/modules/rlm_ldap/sasl.c b/src/modules/rlm_ldap/sasl.c index 0e58bba..f519483 100644 --- a/src/modules/rlm_ldap/sasl.c +++ b/src/modules/rlm_ldap/sasl.c @@ -63,7 +63,7 @@ static int _sasl_interact(UNUSED LDAP *handle, UNUSED unsigned flags, void *ctx, break;
case SASL_CB_USER: - cb_p->result = this->extra->proxy ? this->extra->proxy : this->identity; + cb_p->result = (this->extra && this->extra->proxy) ? this->extra->proxy : this->identity; break;
Not the correct fix. I've pushed another one.
case SASL_CB_GETREALM:
Now it works fine with Kerberos auth for admin searches using the KRB5_CLIENT_KTNAME but the fun part is when I set: mech = 'GSS-SPNEGO' It uses spnego and when KRB5_CLIENT_KTNAME is not available it fails-over to using my NTLM system credentials and works fine (lookup gss-ntlmssp for details).
Hehe, as it should I guess, that's neat. Thankyou very much for testing and providing feedback. I've pushed fixes for the issues you've encountered and updated the default ldap config file. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2