Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

LDAP authentication via GSSAPI

94 views
Skip to first unread message

Jochen Keutel

unread,
Feb 18, 2015, 11:15:02 AM2/18/15
to perl...@perl.org
Hello,
I want to perform an LDAP bind using the Windows credentials I
already have (after logging on on my Windows machine).
The LDAP server is Microsoft AD LDS. (Could be also ADS - both LDAP
servers support this kind of login.)

I think the following code should work - but it does not (on Windows):

use strict;
use warnings;
use Net::LDAP;
require Authen::SASL;

my $host = 'ldap://localhost:389/';
my $ldap_base = 'c=de';

my $sasl = Authen::SASL->new( mechanism => 'GSSAPI' );
print "Mechanism: ".$sasl->mechanism."\n";
my $ldap;

$ldap = Net::LDAP->new($host);
my $bind_res = $ldap->bind(sasl => $sasl);
if ($bind_res->code) {
print "Bind problem: code ".$bind_res->code.", error
".$bind_res->error."\n";
} else {
print "Bind successful"."\n";
}

Output:

Mechanism: GSSAPI
Bind problem: code 82, error No SASL mechanism found
at C:/Perl64/site/lib/Authen/SASL.pm line 77.
at C:/Perl64/site/lib/Net/LDAP.pm line 460.

I'm using ActiveState Perl 5.20 .
C:\Perl64\site\lib\Authen\SASL\Perl\GSSAPI.pm is there.
But also "require Authen::SASL::Perl::GSSAPI;" fails:

Can't locate GSSAPI.pm in @INC (you may need to install the GSSAPI
module) (@INC
contains: C:/Perl64/site/lib C:/Perl64/lib .) at
C:/Perl64/site/lib/Authen/SASL
/Perl/GSSAPI.pm line 10, <DATA> line 751.
BEGIN failed--compilation aborted at
C:/Perl64/site/lib/Authen/SASL/Perl/GSSAPI.
pm line 10, <DATA> line 751.

The reason is probably that line 10 contains "use GSSAPI;".

According to http://code.activestate.com/ppm/GSSAPI/ : GSSAPI couldn't
be compiled for Windows.

http://www.perlmonks.org/?node_id=851947 describes the same problem but
doesn't offer a solution.

Is there a solution? Is there another way (e.g. another module than
Authen::SASL) to get this working?

Regards, Jochen Keutel.

Achim Grolms

unread,
Feb 18, 2015, 4:00:02 PM2/18/15
to perl...@perl.org
On Wednesday 18 February 2015, Jochen Keutel wrote:

> The reason is probably that line 10 contains "use GSSAPI;".
>
> According to http://code.activestate.com/ppm/GSSAPI/ : GSSAPI couldn't
> be compiled for Windows.

Yes and No.

Yes, it can be compiled on Windows linking against a GSSAPI implementation on
Windows, for example MIT Kerberos. In GSSAPI sourcetree run

perl Makefile.PL --help

to get configuration-help.
In that case you additionally must configure your krb5.conf file with the KDC
you use and run 'ktpass' to get a TGT.

No, because GSSAPI implementation like MIT Kerberos must be installed as a
prerequierement on the Windows machine, Active State has a problem how to
build and ship this module with ppm.

> http://www.perlmonks.org/?node_id=851947 describes the same problem but
> doesn't offer a solution.
>
> Is there a solution? Is there another way (e.g. another module than
> Authen::SASL) to get this working?

I suppose the best way on Windows is

1. to make use un the windows native GSSAPI-interface (called 'SSPI'), as
Win32::IntAuth does,

2. and wrap a Authen::SASL adapter around it so Net::LDAP can make use of it.

Sorry I did not do this task in the past.

Best Regards,
Achim

Keutel, Jochen (mlists)

unread,
Feb 19, 2015, 10:00:02 AM2/19/15
to perl...@perl.org
Hello,
thank you for the answer.

> I suppose the best way on Windows is
>
> 1. to make use un the windows native GSSAPI-interface (called 'SSPI'), as
> Win32::IntAuth does,
>
> 2. and wrap a Authen::SASL adapter around it so Net::LDAP can make use of it.
>
> Sorry I did not do this task in the past.

Does this mean that currently - using a native ActiveState Perl
installation and only ActiveState PPMs - there is no way to get this
working?
Or can I do this "use SSPI and wrap a Authen::SASL adapter around it"
within my Perl script?

I guess not ...

The problem is that I have several Perl scripts that have to run on a
Windows server regularly via Windows Task Scheduler. The guys in the
operating want that the scripts are running under an existing Windows
account.
They don't allow me to put a LDAP password in cleartext into a config file.

Regards, Jochen.

Achim Grolms

unread,
Feb 19, 2015, 11:15:01 AM2/19/15
to perl...@perl.org
On Thursday 19 February 2015, Keutel, Jochen (mlists) wrote:

> Does this mean that currently - using a native ActiveState Perl
> installation and only ActiveState PPMs - there is no way to get this
> working?

This means that you can build your own GSSAPI-module using
* a C-Compiler
* Kerberos for Windows with header-files (for example MIT Kerberos)

and put it in your own ppm Package.

> Or can I do this "use SSPI and wrap a Authen::SASL adapter around it"
> within my Perl script?

This means writing a Perl module, for example "Authen::SASL::WinSSPI" that
implements the Authen::SASL interface an makes use of Win32::IntAuth.

I think everyone with knowledge in SASL and Kerberos/GSSAPI can do this.
If a find some sparetime within the next days I can try to start a "proof of
concept"-implementation.


> The problem is that I have several Perl scripts that have to run on a
> Windows server regularly via Windows Task Scheduler. The guys in the
> operating want that the scripts are running under an existing Windows
> account.
> They don't allow me to put a LDAP password in cleartext into a config file.

So using authentication based on GSSAPI.pm is not an option, because you
have to find a way to get a TGT when the scheduler runs the script.
This means

a) feed a keytab to kinit or
b) feed a password to kinit.

Hmmm..., perhaps the guys in operating don't understand what a keytab is, so
this is the hole you can slip through :-) :-) :-)

Best Regards,
Achim
0 new messages