Trouble with ldap + sasl + gssapi + kerberos against Active Directory Server
575 views
Skip to first unread message
Hadmut Danisch
Jun 30, 2014, 11:23:35 AM6/30/14
to ruby...@googlegroups.com
Hi,
I am just trying to use ldap with kerberos to connect to a Microsoft Active Directory Server. Works pretty well with command line tools (ldapsearch), but with ruby I always run into the error message
Error gss_init_sec_context did not return GSS_S_COMPLETE
Unfortunately, I could not find a precise documentation of what exact behaviour NET::LDAP.new expects from the challenge_response function. By the way, there are two gems available, net-ldap-0.6.1 and net-ldap2-0.5.0, but they differ only in some specs and docs. Why is there two versions, and which one should I use?
What I am trying to do is
cli = GSSAPI::Simple.new(adserver,'ldap')
token = cli.init_context.force_encoding('binary')
puts "OUT #{token.size}"
ldap = Net::LDAP.new :host => adserver,
:auth => {
:method => :sasl,
:mechanism => 'GSSAPI',
:initial_credential => token,
:challenge_response => lambda do |inp|
puts "INP #{inp.size}"
case out = cli.init_context(inp)
when true ; puts "OUT #{out}" ; out
when String ; puts "OUT #{out.size}" ;
out.force_encoding('binary')
else warn "init context class #{out.class}"
end
end
}
puts "Starting Query"
ldap.search(:base => "") do |entry|
puts entry
end
(where adserver is the name of the Active Directory Server), which almost seems to work, at least it goes through some steps of the kerberos protocol and prints
OUT 1426
Starting Query
INP 156
OUT true
INP 32
Error gss_init_sec_context did not return GSS_S_COMPLETE
GSSAPI::GssApiError
So the local gssapi object seems to find a success (since it replies with true instead of a string), but NET::LDAP tries to proceed with sasl. I am not sure why the gssapi part returns true, but lateron complains about not getting GSS_S_COMPLETE.
I tried to compare this with a successfull ldapsearch and found that ldapsearch does a
-> bindRequest(1) sasl
<- saslBindInProgress
-> bindRequest(2) sasl
<- sasBindInProgress
-> bindRequest(3) sasl
<- bindResponse(3) success
-> SASL GSS-API Privacy; payload
while the ruby version aborts after the fourth step. I also found that both tell the Server that they wish to use GSSAPI Mechanisms in the third step, but the ruby version has three 01 bytes after GSSAPI, while the ldapsearch chat doesn't. Wireshark complains that these three 01 bytes make the paket invalid. Maybe that's an encoding problem of net-ldap.
Unfortunately, both debugging and documentation for both gssapi and ruby net-ldap are poor for this kind of use. I am not yet sure whether I have a problem with the gssapi or the net-ldap part.
Has anyone working code to authenticate with kerberos against an AD server?
regards
Hadmut
I am just trying to use ldap with kerberos to connect to a Microsoft Active Directory Server. Works pretty well with command line tools (ldapsearch), but with ruby I always run into the error message
Error gss_init_sec_context did not return GSS_S_COMPLETE
Unfortunately, I could not find a precise documentation of what exact behaviour NET::LDAP.new expects from the challenge_response function. By the way, there are two gems available, net-ldap-0.6.1 and net-ldap2-0.5.0, but they differ only in some specs and docs. Why is there two versions, and which one should I use?
What I am trying to do is
cli = GSSAPI::Simple.new(adserver,'ldap')
token = cli.init_context.force_encoding('binary')
puts "OUT #{token.size}"
ldap = Net::LDAP.new :host => adserver,
:auth => {
:method => :sasl,
:mechanism => 'GSSAPI',
:initial_credential => token,
:challenge_response => lambda do |inp|
puts "INP #{inp.size}"
case out = cli.init_context(inp)
when true ; puts "OUT #{out}" ; out
when String ; puts "OUT #{out.size}" ;
out.force_encoding('binary')
else warn "init context class #{out.class}"
end
end
}
puts "Starting Query"
ldap.search(:base => "") do |entry|
puts entry
end
(where adserver is the name of the Active Directory Server), which almost seems to work, at least it goes through some steps of the kerberos protocol and prints
OUT 1426
Starting Query
INP 156
OUT true
INP 32
Error gss_init_sec_context did not return GSS_S_COMPLETE
GSSAPI::GssApiError
So the local gssapi object seems to find a success (since it replies with true instead of a string), but NET::LDAP tries to proceed with sasl. I am not sure why the gssapi part returns true, but lateron complains about not getting GSS_S_COMPLETE.
I tried to compare this with a successfull ldapsearch and found that ldapsearch does a
-> bindRequest(1) sasl
<- saslBindInProgress
-> bindRequest(2) sasl
<- sasBindInProgress
-> bindRequest(3) sasl
<- bindResponse(3) success
-> SASL GSS-API Privacy; payload
while the ruby version aborts after the fourth step. I also found that both tell the Server that they wish to use GSSAPI Mechanisms in the third step, but the ruby version has three 01 bytes after GSSAPI, while the ldapsearch chat doesn't. Wireshark complains that these three 01 bytes make the paket invalid. Maybe that's an encoding problem of net-ldap.
Unfortunately, both debugging and documentation for both gssapi and ruby net-ldap are poor for this kind of use. I am not yet sure whether I have a problem with the gssapi or the net-ldap part.
Has anyone working code to authenticate with kerberos against an AD server?
regards
Hadmut
Reply all
Reply to author
Forward
0 new messages