LDAP authentication via GSSAPI

34 views
Skip to first unread message

Jochen Keutel

unread,
Feb 18, 2015, 11:15:02 AM2/18/15
to perl...@perl.org
Hello,
I want to perform an LDAP bind using the Windows credentials I
already have (after logging on on my Windows machine).
The LDAP server is Microsoft AD LDS. (Could be also ADS - both LDAP
servers support this kind of login.)

I think the following code should work - but it does not (on Windows):

use strict;
use warnings;
use Net::LDAP;
require Authen::SASL;

my $host = 'ldap://localhost:389/';
my $ldap_base = 'c=de';

my $sasl = Authen::SASL->new( mechanism => 'GSSAPI' );
print "Mechanism: ".$sasl->mechanism."\n";
my $ldap;

$ldap = Net::LDAP->new($host);
my $bind_res = $ldap->bind(sasl => $sasl);
if ($bind_res->code) {
print "Bind problem: code ".$bind_res->code.", error
".$bind_res->error."\n";
} else {
print "Bind successful"."\n";
}

Output:

Mechanism: GSSAPI
Bind problem: code 82, error No SASL mechanism found
at C:/Perl64/site/lib/Authen/SASL.pm line 77.
at C:/Perl64/site/lib/Net/LDAP.pm line 460.

I'm using ActiveState Perl 5.20 .
C:\Perl64\site\lib\Authen\SASL\Perl\GSSAPI.pm is there.
But also "require Authen::SASL::Perl::GSSAPI;" fails:

Can't locate GSSAPI.pm in @INC (you may need to install the GSSAPI
module) (@INC
contains: C:/Perl64/site/lib C:/Perl64/lib .) at
C:/Perl64/site/lib/Authen/SASL
/Perl/GSSAPI.pm line 10, <DATA> line 751.
BEGIN failed--compilation aborted at
C:/Perl64/site/lib/Authen/SASL/Perl/GSSAPI.
pm line 10, <DATA> line 751.

The reason is probably that line 10 contains "use GSSAPI;".

According to http://code.activestate.com/ppm/GSSAPI/ : GSSAPI couldn't
be compiled for Windows.

http://www.perlmonks.org/?node_id=851947 describes the same problem but
doesn't offer a solution.

Is there a solution? Is there another way (e.g. another module than
Authen::SASL) to get this working?

Regards, Jochen Keutel.

Achim Grolms

unread,
Feb 18, 2015, 4:00:02 PM2/18/15
to perl...@perl.org
On Wednesday 18 February 2015, Jochen Keutel wrote:

> The reason is probably that line 10 contains "use GSSAPI;".
>
> According to http://code.activestate.com/ppm/GSSAPI/ : GSSAPI couldn't
> be compiled for Windows.

Yes and No.

Yes, it can be compiled on Windows linking against a GSSAPI implementation on
Windows, for example MIT Kerberos. In GSSAPI sourcetree run

perl Makefile.PL --help

to get configuration-help.
In that case you additionally must configure your krb5.conf file with the KDC
you use and run 'ktpass' to get a TGT.

No, because GSSAPI implementation like MIT Kerberos must be installed as a
prerequierement on the Windows machine, Active State has a problem how to
build and ship this module with ppm.

> http://www.perlmonks.org/?node_id=851947 describes the same problem but
> doesn't offer a solution.
>
> Is there a solution? Is there another way (e.g. another module than
> Authen::SASL) to get this working?

I suppose the best way on Windows is

1. to make use un the windows native GSSAPI-interface (called 'SSPI'), as
Win32::IntAuth does,

2. and wrap a Authen::SASL adapter around it so Net::LDAP can make use of it.

Sorry I did not do this task in the past.

Best Regards,
Achim

Keutel, Jochen (mlists)

unread,
Feb 19, 2015, 10:00:02 AM2/19/15
to perl...@perl.org
Hello,
thank you for the answer.

> I suppose the best way on Windows is
>
> 1. to make use un the windows native GSSAPI-interface (called 'SSPI'), as
> Win32::IntAuth does,
>
> 2. and wrap a Authen::SASL adapter around it so Net::LDAP can make use of it.
>
> Sorry I did not do this task in the past.

Does this mean that currently - using a native ActiveState Perl
installation and only ActiveState PPMs - there is no way to get this
working?
Or can I do this "use SSPI and wrap a Authen::SASL adapter around it"
within my Perl script?

I guess not ...

The problem is that I have several Perl scripts that have to run on a
Windows server regularly via Windows Task Scheduler. The guys in the
operating want that the scripts are running under an existing Windows
account.
They don't allow me to put a LDAP password in cleartext into a config file.

Regards, Jochen.

Achim Grolms

unread,
Feb 19, 2015, 11:15:01 AM2/19/15
to perl...@perl.org
On Thursday 19 February 2015, Keutel, Jochen (mlists) wrote:

> Does this mean that currently - using a native ActiveState Perl
> installation and only ActiveState PPMs - there is no way to get this
> working?

This means that you can build your own GSSAPI-module using
* a C-Compiler
* Kerberos for Windows with header-files (for example MIT Kerberos)

and put it in your own ppm Package.

> Or can I do this "use SSPI and wrap a Authen::SASL adapter around it"
> within my Perl script?

This means writing a Perl module, for example "Authen::SASL::WinSSPI" that
implements the Authen::SASL interface an makes use of Win32::IntAuth.

I think everyone with knowledge in SASL and Kerberos/GSSAPI can do this.
If a find some sparetime within the next days I can try to start a "proof of
concept"-implementation.


> The problem is that I have several Perl scripts that have to run on a
> Windows server regularly via Windows Task Scheduler. The guys in the
> operating want that the scripts are running under an existing Windows
> account.
> They don't allow me to put a LDAP password in cleartext into a config file.

So using authentication based on GSSAPI.pm is not an option, because you
have to find a way to get a TGT when the scheduler runs the script.
This means

a) feed a keytab to kinit or
b) feed a password to kinit.

Hmmm..., perhaps the guys in operating don't understand what a keytab is, so
this is the hole you can slip through :-) :-) :-)

Best Regards,
Achim
Reply all
Reply to author
Forward
0 new messages