Authenticate to LDAP with GSSAPI

Isaac Boukris iboukris at gmail.com
Tue Jun 16 03:07:22 CEST 2015 

Hi Arran,

On Mon, Jun 15, 2015 at 8:24 PM, Arran Cudbard-Bell
<a.cudbardb at freeradius.org> wrote:
> I got about 70% through writing the used auth/autz modifications last night, i'll try push those up today. They'll be v3.1.x only until someone tests them and verifies they work, and don't break other kerberos operations.

I thought it would be fun to test and fun it was.

First I tried simple setup to authenticate users via ldap-bind using
simple bind for admin searches as well.
I had some crashes with v3.1 so I ran away to v3.0 where at first I
got a linkage issue for which I had to add 'sasl.c' to the makefile
and then I got the same first crashes.

Not sure I understood it well but I managed to solve it with:

diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
index 416a122..7cf8cae 100644
--- a/src/modules/rlm_ldap/ldap.c
+++ b/src/modules/rlm_ldap/ldap.c
@@ -717,7 +717,7 @@ ldap_rcode_t rlm_ldap_bind(rlm_ldap_t const *inst,
REQUEST *request, ldap_handle
        num = retry ? fr_connection_get_num(inst->pool) : 0;
        for (i = num; i >= 0; i--) {
 #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND
-               if (sasl->mech) {
+               if (sasl && sasl->mech) {
                        status = rlm_ldap_sasl_interactive(inst,
request, *pconn, dn, password, sasl,
                                                           &error, &extra);
                } else

Then it worked with simple-bind for admin auth so I tried to set:
mech = 'GSSAPI'
And then I got auth failure which - from the wireshark traces - I
think was related to 'identity' directive being set with a DN so I
comment it out (along with the 'password' directive) as it should not
be necessary.

But I got another crash which I worked around again by:

diff --git a/src/modules/rlm_ldap/sasl.c b/src/modules/rlm_ldap/sasl.c
index 0e58bba..f519483 100644
--- a/src/modules/rlm_ldap/sasl.c
+++ b/src/modules/rlm_ldap/sasl.c
@@ -63,7 +63,7 @@ static int _sasl_interact(UNUSED LDAP *handle,
UNUSED unsigned flags, void *ctx,
                                break;

                        case SASL_CB_USER:
-                               cb_p->result = this->extra->proxy ?
this->extra->proxy : this->identity;
+                               cb_p->result = (this->extra &&
this->extra->proxy) ? this->extra->proxy : this->identity;
                                break;

                        case SASL_CB_GETREALM:

Now it works fine with Kerberos auth for admin searches using the
KRB5_CLIENT_KTNAME but the fun part is when I set:
mech = 'GSS-SPNEGO'
It uses spnego and when KRB5_CLIENT_KTNAME is not available it
fails-over to using my NTLM system credentials and works fine (lookup
gss-ntlmssp for details).

Regards,
Isaac B.

More information about the Freeradius-Users mailing list