Authenticate to LDAP with GSSAPI

Isaac Boukris iboukris at gmail.com
Wed Jun 17 01:02:15 CEST 2015


On Tue, Jun 16, 2015 at 5:55 AM, Arran Cudbard-Bell
<a.cudbardb at freeradius.org> wrote:
>
>> On 15 Jun 2015, at 21:07, Isaac Boukris <iboukris at gmail.com> wrote:
>> Then it worked with simple-bind for admin auth so I tried to set:
>> mech = 'GSSAPI'
>> And then I got auth failure which - from the wireshark traces - I
>> think was related to 'identity' directive being set with a DN so I
>> comment it out (along with the 'password' directive) as it should not
>> be necessary.
>
> Well you control the value sent in identity. So if it was a DN that's
> what you had in the config file... I hope?

Yea, it was the DN of the same user principle that's in the keytab.
Perhaps specifying it implies simple-bind (no sasl).

>> Now it works fine with Kerberos auth for admin searches using the
>> KRB5_CLIENT_KTNAME but the fun part is when I set:
>> mech = 'GSS-SPNEGO'
>> It uses spnego and when KRB5_CLIENT_KTNAME is not available it
>> fails-over to using my NTLM system credentials and works fine (lookup
>> gss-ntlmssp for details).
>
> Hehe, as it should I guess, that's neat.

Yes, funny how many pseudo mechanism though -
sasl(gssapi(spnego(actual_mech))) ;-)

However, I just found out it doesn't fully work well yet :-(
The bind succeed but later when radiusd makes a search query the LDAP
(AD) simply does not respond (it does respond if simple-bind is used).

It puzzled me for a while till I compared network traces with the
equivalent "ldapsearch -Y GSSAPI" command.
It appears that when GSSAPI is used then 'ldapsearch' will also use an
encryption wrapping scheme to envelop the subsequent search requests
to the server.
My guess is that the server does not respond because it expect that
(see attached capture - at the very end you can see the successful
ldapsearch).

Need to look into it, perhaps it's negotiable or some sasl library
calls should be changed.
I'll try to look into ldapsearch code and investigate further - ideas
of solutions are welcome :)

> Thankyou very much for testing and providing feedback. I've pushed fixes
> for the issues you've encountered and updated the default ldap config file.

I can confirm the crashes are gone and it works well.
I still have the linkage run time issue unless I add 'sasl.c' to
'rlm_ldap/all.mk.in' with v3.0 (no build-tools expert).

Thank you guys for this great and open source software.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fr_ldaps.pcap
Type: application/octet-stream
Size: 32019 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150617/8af47aa5/attachment-0001.obj>


More information about the Freeradius-Users mailing list