Authenticate to LDAP with GSSAPI

Isaac Boukris iboukris at gmail.com
Sun Jun 21 19:11:28 CEST 2015


On Sun, Jun 21, 2015 at 7:31 PM, Isaac Boukris <iboukris at gmail.com> wrote:
> Hi Arran / all,
>
> On Wed, Jun 17, 2015 at 9:17 PM, Isaac Boukris <iboukris at gmail.com> wrote:
>> I've made some progress with my 'LDAP not responding problem'.
>>
>> If I set "SASL_SECPROPS maxssf=0" in my 'ldap.conf' file then both
>> 'ldapsearch' and 'radiusd' won't encrypt the  search request and -
>> most importantly - the LDAP server answers to both of them!
>> So I guess we can call that 'working' for now as the admin
>> authentication use kerberos.
>>
>> I'll try however to investigate further why 'radiusd' won't encrypt
>> like 'ldapsearch' does when I don't limit 'ssf'.
>> Also interesting  to understand how this is negotiated at sasl level
>> (as I'm convinced now).
>
> I've made some more progress.
> The difference between 'radiusd' and 'ldapsearch' seem to be at the
> 'bind' stage where 'ldapsearch' calls 'ldap_sasl_interactive_bind()'
> one more time compare to 'radiusd'.
> It seem that in this last call the ldap library checks the 'ssf' and
> sets the security layers (encoding and decoding callbacks, see in
> 'ldap_int_sasl_bind').
>
> I notice that while 'ldapsearch' loops over the return value from
> 'ldap_sasl_interactive_bind()' call:
> https://github.com/osstech-jp/openldap/blob/wiredtiger/clients/tools/common.c#L1586
>
> We instead loop over the return value from 'rlm_ldap_result()' call:
> https://github.com/FreeRADIUS/freeradius-server/blob/v3.1.x/src/modules/rlm_ldap/sasl.c#L148
>
> When I change the loop in 'radiusd' to 'while (ret !=
> LDAP_SASL_BIND_IN_PROGRESS)' I can see that we go further in the flow
> since 'radiusd -X' prints more sasl related lines similar to what
> 'ldapsearch' prints (it used to print only the first line that starts
> with SASL).
>
> rlm_ldap (ldap): Opening additional connection (0), 1 of 1 pending slots used
> rlm_ldap (ldap): Connecting to ldap://ms.frenche.cp:389
> rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
> SASL/GSSAPI authentication started
> SASL username: anna at FRENCHE.CP
> SASL SSF: 56
> SASL data security layer installed.
> rlm_ldap (ldap): Bind with (anonymous) to ldap://ms.frenche.cp:389
> failed: Timed out while waiting for server to respond
> rlm_ldap (ldap): Opening connection failed (0)
> rlm_ldap (ldap): Removing connection pool
> /usr/local/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for
> module "ldap"
>
> Of course it now fails (anonymous?) as I probably messed up the code
> logic but it seems the right direction.
> I'd like to investigate further but I could use some assistance and ideas ;-)

Ok, I got it to actually work (including the encryption / sealing part).
Here is the working diff (LDAP_SASL_BIND_IN_PROGRESS = 14):

diff --git a/src/modules/rlm_ldap/sasl.c b/src/modules/rlm_ldap/sasl.c
index 5686f2b..2d61107 100644
--- a/src/modules/rlm_ldap/sasl.c
+++ b/src/modules/rlm_ldap/sasl.c
@@ -125,6 +125,7 @@ ldap_rcode_t rlm_ldap_sasl_interactive(rlm_ldap_t
const *inst, REQUEST *request,
                                                 NULL, NULL,
LDAP_SASL_AUTOMATIC,
                                                 _sasl_interact,
&sasl_ctx, result,
                                                 &mech, &msgid);
+               if(ret != 14) break;
                ldap_msgfree(result);   /* We always need to free the
old message */
                if (ret >= 0) MOD_ROPTIONAL(RDEBUG3, DEBUG3,
"Continuing SASL mech %s...", mech);

@@ -145,7 +146,7 @@ ldap_rcode_t rlm_ldap_sasl_interactive(rlm_ldap_t
const *inst, REQUEST *request,
                                ldap_memfree(srv_cred);
                        }
                }
-       } while (status == LDAP_PROC_CONTINUE);
+       } while (ret == 14);
        ldap_msgfree(result);

        return status;

Need some polishing etc but this works :)

Regards,
Isaac B.


More information about the Freeradius-Users mailing list