Authenticate to LDAP with GSSAPI
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Tue Jun 16 04:55:07 CEST 2015
> On 15 Jun 2015, at 21:07, Isaac Boukris <iboukris at gmail.com> wrote:
>
> Hi Arran,
>
> On Mon, Jun 15, 2015 at 8:24 PM, Arran Cudbard-Bell
> <a.cudbardb at freeradius.org> wrote:
>> I got about 70% through writing the used auth/autz modifications last night, i'll try push those up today. They'll be v3.1.x only until someone tests them and verifies they work, and don't break other kerberos operations.
>
> I thought it would be fun to test and fun it was.
>
> First I tried simple setup to authenticate users via ldap-bind using
> simple bind for admin searches as well.
> I had some crashes with v3.1 so I ran away to v3.0 where at first I
> got a linkage issue for which I had to add 'sasl.c' to the makefile
> and then I got the same first crashes.
Ah, sorry about that. It was only previously tested with EXTERNAL and was
waiting for further tests. Another guy was complaining about the non-interactive
version not being useful, so I backported it, a little too hastily apparently.
> Not sure I understood it well but I managed to solve it with:
>
> diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
> index 416a122..7cf8cae 100644
> --- a/src/modules/rlm_ldap/ldap.c
> +++ b/src/modules/rlm_ldap/ldap.c
> @@ -717,7 +717,7 @@ ldap_rcode_t rlm_ldap_bind(rlm_ldap_t const *inst,
> REQUEST *request, ldap_handle
> num = retry ? fr_connection_get_num(inst->pool) : 0;
> for (i = num; i >= 0; i--) {
> #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND
> - if (sasl->mech) {
> + if (sasl && sasl->mech) {
That's the correct fix.
> Then it worked with simple-bind for admin auth so I tried to set:
> mech = 'GSSAPI'
> And then I got auth failure which - from the wireshark traces - I
> think was related to 'identity' directive being set with a DN so I
> comment it out (along with the 'password' directive) as it should not
> be necessary.
Well you control the value sent in identity. So if it was a DN that's
what you had in the config file... I hope?
> But I got another crash which I worked around again by:
>
> diff --git a/src/modules/rlm_ldap/sasl.c b/src/modules/rlm_ldap/sasl.c
> index 0e58bba..f519483 100644
> --- a/src/modules/rlm_ldap/sasl.c
> +++ b/src/modules/rlm_ldap/sasl.c
> @@ -63,7 +63,7 @@ static int _sasl_interact(UNUSED LDAP *handle,
> UNUSED unsigned flags, void *ctx,
> break;
>
> case SASL_CB_USER:
> - cb_p->result = this->extra->proxy ?
> this->extra->proxy : this->identity;
> + cb_p->result = (this->extra &&
> this->extra->proxy) ? this->extra->proxy : this->identity;
> break;
Not the correct fix. I've pushed another one.
>
> case SASL_CB_GETREALM:
>
> Now it works fine with Kerberos auth for admin searches using the
> KRB5_CLIENT_KTNAME but the fun part is when I set:
> mech = 'GSS-SPNEGO'
> It uses spnego and when KRB5_CLIENT_KTNAME is not available it
> fails-over to using my NTLM system credentials and works fine (lookup
> gss-ntlmssp for details).
Hehe, as it should I guess, that's neat.
Thankyou very much for testing and providing feedback. I've pushed fixes
for the issues you've encountered and updated the default ldap config file.
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150615/21935d94/attachment-0001.sig>
More information about the Freeradius-Users
mailing list