Authenticate to LDAP with GSSAPI

Isaac Boukris iboukris at gmail.com
Sun Jun 21 18:31:36 CEST 2015 

Hi Arran / all,

On Wed, Jun 17, 2015 at 9:17 PM, Isaac Boukris <iboukris at gmail.com> wrote:
> I've made some progress with my 'LDAP not responding problem'.
>
> If I set "SASL_SECPROPS maxssf=0" in my 'ldap.conf' file then both
> 'ldapsearch' and 'radiusd' won't encrypt the  search request and -
> most importantly - the LDAP server answers to both of them!
> So I guess we can call that 'working' for now as the admin
> authentication use kerberos.
>
> I'll try however to investigate further why 'radiusd' won't encrypt
> like 'ldapsearch' does when I don't limit 'ssf'.
> Also interesting  to understand how this is negotiated at sasl level
> (as I'm convinced now).

I've made some more progress.
The difference between 'radiusd' and 'ldapsearch' seem to be at the
'bind' stage where 'ldapsearch' calls 'ldap_sasl_interactive_bind()'
one more time compare to 'radiusd'.
It seem that in this last call the ldap library checks the 'ssf' and
sets the security layers (encoding and decoding callbacks, see in
'ldap_int_sasl_bind').

I notice that while 'ldapsearch' loops over the return value from
'ldap_sasl_interactive_bind()' call:
https://github.com/osstech-jp/openldap/blob/wiredtiger/clients/tools/common.c#L1586

We instead loop over the return value from 'rlm_ldap_result()' call:
https://github.com/FreeRADIUS/freeradius-server/blob/v3.1.x/src/modules/rlm_ldap/sasl.c#L148

When I change the loop in 'radiusd' to 'while (ret !=
LDAP_SASL_BIND_IN_PROGRESS)' I can see that we go further in the flow
since 'radiusd -X' prints more sasl related lines similar to what
'ldapsearch' prints (it used to print only the first line that starts
with SASL).

rlm_ldap (ldap): Opening additional connection (0), 1 of 1 pending slots used
rlm_ldap (ldap): Connecting to ldap://ms.frenche.cp:389
rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
SASL/GSSAPI authentication started
SASL username: anna at FRENCHE.CP
SASL SSF: 56
SASL data security layer installed.
rlm_ldap (ldap): Bind with (anonymous) to ldap://ms.frenche.cp:389
failed: Timed out while waiting for server to respond
rlm_ldap (ldap): Opening connection failed (0)
rlm_ldap (ldap): Removing connection pool
/usr/local/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for
module "ldap"

Of course it now fails (anonymous?) as I probably messed up the code
logic but it seems the right direction.
I'd like to investigate further but I could use some assistance and ideas ;-)

Regards,
Isaac B.

More information about the Freeradius-Users mailing list