Need help regarding AD user authentication using LDAP's SASL+GSSAPI bind
Kashif Ali Siddiqui
I am experiencing a problem in ldap user authentication over SASL
+GSSAPI with a Microsoft AD 2003. After doing the "kinit", I have get
the first user ticket. But when I try to do a SASL bind with mechanism
GSSAPI, and try to give the same user principal that I gave to kinit
in the first SASL step that asks "Please enter your authorization
name" (code 0x4001), I get the service ticket (as shown by the klist
command), but my ldap sasl bind fails with the message
"LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data
7a, vece"
with LDAP return code 49 means Invalid Credentials. I am using a
custom client here. The code is pasted after the environment details.
Please go through the code. By the way, I am getting the user and
service tickets from the AD server, its just the bind which is failing
in the SASL. In normal (simple bind), it is succeeding.
Here is the environment details
Server
=======
Microsoft Server 2003
Client
======
RedHat ES 3
MozillaLDAP 6.0.4
Cyrus-sasl 2.1.22
Client code
====================================================================
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <time.h>
#include <sasl.h>
#include <ldap.h>
static char progname[50];
//static int sasl_flags = LDAP_SASL_QUIET;
static int sasl_flags = LDAP_SASL_INTERACTIVE;
static char *sasl_mech = "GSSAPI";
static char buf[1024];
#define VALIDVAL(n) ((n >= SASL_CB_USER) && (n <= SASL_CB_GETREALM))
static char* getCString(char *strPtr, size_t sizeStrPtr, size_t
*strLength)
{
int len = 0;
if (strLength != NULL) *strLength = 0;
if (strPtr && (strPtr = fgets(strPtr, sizeStrPtr, stdin)) != NULL)
{
len = strlen(strPtr);
if ((len > 0) && (strPtr[len - 1] == '\n'))
{
strPtr[len - 1] = '\0';
len--;
}
if (strLength != NULL) *strLength = len;
}
return strPtr;
}
static int
example_sasl_interact( LDAP *ld, unsigned flags, void *defaults, void
*prompts )
{
//static times = 0;
//printf(" -- Enter times : #%d\n", ++times);
char *promptStrings[9] = {
"USER",
"AUTHNAME",
"LANGUAGE",
"PASS",
"ECHOPROMPT",
"NOECHOPROMPT",
"CNONCE",
"GETREALM",
NULL
};
sasl_interact_t *interact = NULL;
int rc;
if (prompts == NULL) {
return (LDAP_PARAM_ERROR);
}
int promptId = ((sasl_interact_t *)prompts)->id;
int promptStringId = promptId - 0x4001;
for (interact = prompts; interact->id != SASL_CB_LIST_END; interact+
+)
{
if (VALIDVAL(interact->id))
{
printf(" >> Prompt: [%x|%s] %s: ", promptId, (promptStringId >=0
&& promptStringId < 9 ? promptStrings[promptId-0x4001] : "N/A"),
interact->prompt?interact->prompt:"N/A");
getCString(buf, sizeof buf, NULL);
interact->result = buf;
interact->len = strlen(buf);
}
}
return (LDAP_SUCCESS);
}
static int
usage(char *progname)
{
fprintf(stderr, "Usage: %s [ debuglevel ]\n", progname);
return 1;
}
int
main(int argc, char *argv[])
{
int index;
int rc;
LDAP *ld;
LDAPControl **ctrls = NULL;
int ldversion = LDAP_VERSION3;
int debuglevel = 0;
LDAPMessage *result, *e;
BerElement *ber;
char *a, *dn;
char **vals;
int i;
int step = 1;
strncpy(progname, argv[0], sizeof progname);
if (argc == 2)
debuglevel = atoi(argv[1]);
/* set the default sasl args from the user input */
else if (argc > 2)
return usage(argv[0]);
printf("============================================\n");
printf("Starting ...\n\n");
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &debuglevel);
/* get a handle to an LDAP connection */
char serverName[100];
int serverPort=389;
char serverBaseDN[512];
char searchDN[1024];
char searchFilter[512];
printf("Step#%d) Enter LDAP server name|DNS|IP: ", step++);
getCString(serverName, sizeof serverName, NULL);
printf("Step#%d) Enter LDAP server port [389]: ", step++);
getCString(buf, sizeof buf, NULL);
serverPort=atoi(buf);
if ( (ld = ldap_init( serverName, serverPort )) == NULL )
{
perror( "ldap_open" );
return( 1 );
}
ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &ldversion );
printf("Step#%d) Enter LDAP server base DN: ", step++);
getCString(serverBaseDN, sizeof serverBaseDN, NULL);
int s1 = step++;
int s2 = step++;
do {
printf("Step#%d) Enter LDAP authentication method; 1) Simple
[default] 2) GSSAPI-Krb5 : ", s1);
getCString(buf, sizeof buf, NULL);
i = atoi(buf);
if (i == 2)
{
printf("Step#%d) Entering LDAP SASL authentication phase\n", s2);
printf("--[Start]---------------------------------------\n");
LDAPControl auth_resp_ctrl, *ctrl_array[ 3 ], **bindctrls;
LDAPControl pwpolicy_req_ctrl;
LDAPControl **ctrls = NULL;
LDAPControl **rctrls = NULL;
auth_resp_ctrl.ldctl_oid = LDAP_CONTROL_AUTH_REQUEST;
auth_resp_ctrl.ldctl_value.bv_val = NULL;
auth_resp_ctrl.ldctl_value.bv_len = 0;
auth_resp_ctrl.ldctl_iscritical = 0;
ctrl_array[0] = &auth_resp_ctrl;
pwpolicy_req_ctrl.ldctl_oid = LDAP_X_CONTROL_PWPOLICY_REQUEST;
pwpolicy_req_ctrl.ldctl_value.bv_val = NULL;
pwpolicy_req_ctrl.ldctl_value.bv_len = 0;
pwpolicy_req_ctrl.ldctl_iscritical = 0;
ctrl_array[1] = &pwpolicy_req_ctrl;
ctrl_array[2] = NULL;
bindctrls = ctrl_array;
rc = ldap_sasl_interactive_bind_ext_s( ld, serverBaseDN,
sasl_mech,
bindctrls, ctrls,
sasl_flags,
example_sasl_interact,
NULL, &rctrls );
printf("--[End]-----------------------------------------\n");
}
else
{
printf("Step#%d) Launching LDAP simple BIND\n", s2);
printf("--[Start]---------------------------------------\n");
char userName[100];
char userPass[100];
printf(" >> Prompt: Enter user DN: ");
getCString(userName, sizeof userName, NULL);
printf(" >> Prompt: Enter user passwd: ");
getCString(userPass, sizeof userPass, NULL);
rc = ldap_simple_bind_s( ld, userName, userPass );
printf("--[End]-----------------------------------------\n");
}
if (rc == LDAP_SUCCESS )
break;
sprintf(buf, "Bind Error [%d]", rc);
ldap_perror( ld, buf);
printf("Do you want to try again ?[y/N] ");
getCString(buf, sizeof buf, NULL);
} while (buf[0] == 'y' || buf[0] == 'Y');
if (rc != LDAP_SUCCESS )
return ( 1 );
sasl_ssf_t ssf;
unsigned long val = 0;
if (!ldap_get_option(ld, LDAP_OPT_X_SASL_SSF, &ssf))
{
val = (unsigned long)ssf;
}
printf("Bind successful, security level is %lu\n", val);
printf("Step#%d) Enter search DN: ", step++);
getCString(searchDN, sizeof searchDN, NULL);
printf("Step#%d) Enter search filter: ", step++);
getCString(searchFilter, sizeof searchFilter, NULL);
if ( (rc = ldap_search_s( ld, searchDN, LDAP_SCOPE_SUBTREE,
searchFilter, NULL, 0, &result )) != LDAP_SUCCESS )
{
sprintf(buf, "'ldap_search_s' Error [%d]", rc);
ldap_perror( ld, buf);
if ( result == NULL )
{
ldap_unbind( ld );
return( 1 );
}
}
printf("Step#%d) LDAP search results\n", step++);
printf("--[Start]---------------------------------------\n");
/* for each entry print out name + all attrs and values */
for ( e = ldap_first_entry( ld, result ); e != NULL; e =
ldap_next_entry( ld, e ) )
{
if ( (dn = ldap_get_dn( ld, e )) != NULL )
{
printf( " => dn: %s\n", dn );
ldap_memfree( dn );
}
for ( a = ldap_first_attribute( ld, e, &ber ); a != NULL; a =
ldap_next_attribute( ld, e, ber ) )
{
if ((vals = ldap_get_values( ld, e, a)) != NULL )
{
for ( i = 0; vals[i] != NULL; i++ )
{
printf( " --- %s: %s\n", a, vals[i] );
}
ldap_value_free( vals );
}
ldap_memfree( a );
}
if ( ber != NULL )
{
ber_free( ber, 0 );
}
printf( ".\n" );
}
printf("--[End]-----------------------------------------\n\n
Terminating ...\n");
ldap_msgfree( result );
ldap_unbind( ld );
return( 0 );
}
====================================================================
Kashif Ali Siddiqui
Tech Lead | Folio3 (www.folio3.com)
Email: ksid...@folio3.com
Markus Moeller
on Opensolaris with minor modification (no DEBUG and no bind_ext available
in Sun's ldap release which is based on mozilla) and it works fine against
my w2k3 AD.
Markus
"Kashif Ali Siddiqui" <kashif.al...@gmail.com> wrote in message
news:8159512b-f373-462d...@m34g2000hsf.googlegroups.com...
Kashif Ali Siddiqui
succeeded with just first step, but the code get crashed on the
ldap_search_s call with segmentation fault. The fault occurs in the
ldap_search_s call trace. Besides that I need to authenticate the user
just as to verify their credentials, so I can't use empty
authorization name.
Any other solution please.
On Jan 2, 7:54 pm, "Markus Moeller" <hua...@moeller.plus.com> wrote:
> Can you try with an empty authorization name. I compiled your test program
> on Opensolaris with minor modification (no DEBUG and no bind_ext available
> in Sun's ldap release which is based on mozilla) and it works fine against
> my w2k3 AD.
>
> Markus
>
> "Kashif Ali Siddiqui" <kashif.ali.siddi...@gmail.com> wrote in messagenews:8159512b-f373-462d...@m34g2000hsf.googlegroups.com...
> > Email: ksiddi...@folio3.com
Kashif Ali Siddiqui
succeeded with just first step, but the code get crashed on the
ldap_search_s call with segmentation fault. The fault occurs in the
ldap_search_s call trace. Besides that I need to authenticate the user
just as to verify their credentials, so I can't use empty
authorization name.
Any other solution please.
On Jan 2, 7:54 pm, "Markus Moeller" <hua...@moeller.plus.com> wrote:
> Can you try with an empty authorization name. I compiled your test program
> on Opensolaris with minor modification (no DEBUG and no bind_ext available
> in Sun's ldap release which is based on mozilla) and it works fine against
> my w2k3 AD.
>
> Markus
>
> "Kashif Ali Siddiqui" <kashif.ali.siddi...@gmail.com> wrote in messagenews:8159512b-f373-462d...@m34g2000hsf.googlegroups.com...
> > Email: ksiddi...@folio3.com
Markus Moeller
ldap_set_option( ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
I think it is a bug in sasl as I saw this too:
Program received signal SIGSEGV, Segmentation fault.
0xd1f28cae in ___sasl_log () from /usr/lib/libsasl.so.1
(gdb) where
#0 0xd1f28cae in ___sasl_log () from /usr/lib/libsasl.so.1
#1 0xd1f28be4 in _sasl_log () from /usr/lib/libsasl.so.1
#2 0xd1f27146 in sasl_encodev () from /usr/lib/libsasl.so.1
#3 0xd1f26ff6 in sasl_encode () from /usr/lib/libsasl.so.1
#4 0xd1f73dc1 in nsldapi_sasl_write () from /usr/lib/libldap.so.5
#5 0xd1f5cb67 in ber_flush () from /usr/lib/libldap.so.5
#6 0xd1f6f6a6 in nsldapi_ber_flush () from /usr/lib/libldap.so.5
#7 0xd1f6f0a8 in nsldapi_send_server_request () from /usr/lib/libldap.so.5
#8 0xd1f6ec8b in nsldapi_send_initial_request () from /usr/lib/libldap.so.5
#9 0xd1f74ffd in simple_bind_nolock () from /usr/lib/libldap.so.5
#10 0xd1f74d33 in ldap_simple_bind () from /usr/lib/libldap.so.5
#11 0xd1f7508d in ldap_simple_bind_s () from /usr/lib/libldap.so.5
#12 0xd1f5e9c6 in ldap_bind_s () from /usr/lib/libldap.so.5
#13 0xd1f6fa2b in nsldapi_new_connection () from /usr/lib/libldap.so.5
#14 0xd1f6eee7 in nsldapi_send_server_request () from /usr/lib/libldap.so.5
#15 0xd1f702c7 in chase_one_referral () from /usr/lib/libldap.so.5
#16 0xd1f7005d in nsldapi_chase_v3_refs () from /usr/lib/libldap.so.5
#17 0xd1f7253f in check_for_refs () from /usr/lib/libldap.so.5
#18 0xd1f71dea in read1msg () from /usr/lib/libldap.so.5
#19 0xd1f71369 in wait4msg () from /usr/lib/libldap.so.5
#20 0xd1f70a31 in nsldapi_result_nolock () from /usr/lib/libldap.so.5
#21 0xd1f70953 in ldap_result () from /usr/lib/libldap.so.5
#22 0xd1f76504 in nsldapi_search_s () from /usr/lib/libldap.so.5
#23 0xd1f7640a in ldap_search_s () from /usr/lib/libldap.so.5
#24 0x080519c7 in main ()
BTW if you want to provide an authorization id use dn: in front of the dn as
shown below.
./ldap_test
============================================
Starting ...
Step#1) Enter LDAP server name|DNS|IP: w2k3r2.win2003r2.home
Step#2) Enter LDAP server port [389]:
Step#3) Enter LDAP server base DN: dc=win2003r2,dc=home
Step#4) Enter LDAP authentication method; 1) Simple [default] 2) GSSAPI-Krb5
: 2
Step#5) Entering LDAP SASL authentication phase
--[Start]---------------------------------------
>> Prompt: [4001|USER] Please enter your authorization name: dn:CN=Markus
Moeller,CN=Users,DC=win2003r2,DC=home
--[End]-----------------------------------------
Bind successful, security level is 56
Step#6) Enter search DN: dc=win2003r2,dc=home
Step#7) Enter search filter: (cn=markus*)
Step#8) LDAP search results
--[Start]---------------------------------------
=> dn: CN=Markus Moeller,CN=Users,DC=win2003r2,DC=home
--- objectClass: top
--- objectClass: person
--- objectClass: organizationalPerson
--- objectClass: user
--- cn: Markus Moeller
--- sn: Moeller
--- givenName: Markus
--- distinguishedName: CN=Markus Moeller,CN=Users,DC=win2003r2,DC=home
--- instanceType: 4
--- whenCreated: 20071221213740.0Z
--- whenChanged: 20071226183848.0Z
--- displayName: Markus Moeller
--- uSNCreated: 20500
--- uSNChanged: 32984
--- name: Markus Moeller
--- objectGUID: ůW \C~Nwe$
--- userAccountControl: 66048
--- badPwdCount: 0
--- codePage: 0
--- countryCode: 0
--- employeeID: 500
--- badPasswordTime: 128436841317493750
--- lastLogoff: 0
--- lastLogon: 128437604944212500
--- pwdLastSet: 128427466604375000
--- primaryGroupID: 513
--- objectSid:
--- accountExpires: 9223372036854775807
--- logonCount: 3
--- sAMAccountName: mm
--- sAMAccountType: 805306368
--- userPrincipalName: m...@win2003r2.home
--- objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=win2003r2,DC=home
--- lastLogonTimestamp: 128431679281250000
--- uid: mm
--- msSFU30Name: mm
--- msSFU30NisDomain: win2003r2
--- msSFU30PosixMemberOf: CN=SuseGroup,CN=Users,DC=win2003r2,DC=home
--- msSFU30PosixMemberOf: CN=SolarisGroup,CN=Users,DC=win2003r2,DC=home
--- uidNumber: 10000
--- gidNumber: 10000
--- unixHomeDirectory: /export/home/mm
--- loginShell: /bin/ksh
.
--[End]-----------------------------------------
Terminating ...
"Kashif Ali Siddiqui" <kashif.al...@gmail.com> wrote in message
news:73fea6ec-8186-4eeb...@s19g2000prg.googlegroups.com...
Kashif Ali Siddiqui
And yes, the new SASL version do crashes on the ldap_search_s call.
Once again thankyou for your kind help.
One more question; Can I use other LDAP attribute in the SASL
authentication step#1 instead of 'dn' like samaccountname?
> --- objectGUID: ùW \C~Nwe$
> "Kashif Ali Siddiqui" <kashif.ali.siddi...@gmail.com> wrote in messagenews:73fea6ec-8186-4eeb...@s19g2000prg.googlegroups.com...
> ...
>
> read more »