LDAP authentication via GSSAPI
73 views
Skip to first unread message
Jochen Keutel
Feb 18, 2015, 11:15:02 AM2/18/15
to perl...@perl.org
Hello,
I want to perform an LDAP bind using the Windows credentials I
already have (after logging on on my Windows machine).
The LDAP server is Microsoft AD LDS. (Could be also ADS - both LDAP
servers support this kind of login.)
I think the following code should work - but it does not (on Windows):
use strict;
use warnings;
use Net::LDAP;
require Authen::SASL;
my $host = 'ldap://localhost:389/';
my $ldap_base = 'c=de';
my $sasl = Authen::SASL->new( mechanism => 'GSSAPI' );
print "Mechanism: ".$sasl->mechanism."\n";
my $ldap;
$ldap = Net::LDAP->new($host);
my $bind_res = $ldap->bind(sasl => $sasl);
if ($bind_res->code) {
print "Bind problem: code ".$bind_res->code.", error
".$bind_res->error."\n";
} else {
print "Bind successful"."\n";
}
Output:
Mechanism: GSSAPI
Bind problem: code 82, error No SASL mechanism found
at C:/Perl64/site/lib/Authen/SASL.pm line 77.
at C:/Perl64/site/lib/Net/LDAP.pm line 460.
I'm using ActiveState Perl 5.20 .
C:\Perl64\site\lib\Authen\SASL\Perl\GSSAPI.pm is there.
But also "require Authen::SASL::Perl::GSSAPI;" fails:
Can't locate GSSAPI.pm in @INC (you may need to install the GSSAPI
module) (@INC
contains: C:/Perl64/site/lib C:/Perl64/lib .) at
C:/Perl64/site/lib/Authen/SASL
/Perl/GSSAPI.pm line 10, <DATA> line 751.
BEGIN failed--compilation aborted at
C:/Perl64/site/lib/Authen/SASL/Perl/GSSAPI.
pm line 10, <DATA> line 751.
The reason is probably that line 10 contains "use GSSAPI;".
According to http://code.activestate.com/ppm/GSSAPI/ : GSSAPI couldn't
be compiled for Windows.
http://www.perlmonks.org/?node_id=851947 describes the same problem but
doesn't offer a solution.
Is there a solution? Is there another way (e.g. another module than
Authen::SASL) to get this working?
Regards, Jochen Keutel.
I want to perform an LDAP bind using the Windows credentials I
already have (after logging on on my Windows machine).
The LDAP server is Microsoft AD LDS. (Could be also ADS - both LDAP
servers support this kind of login.)
I think the following code should work - but it does not (on Windows):
use strict;
use warnings;
use Net::LDAP;
require Authen::SASL;
my $host = 'ldap://localhost:389/';
my $ldap_base = 'c=de';
my $sasl = Authen::SASL->new( mechanism => 'GSSAPI' );
print "Mechanism: ".$sasl->mechanism."\n";
my $ldap;
$ldap = Net::LDAP->new($host);
my $bind_res = $ldap->bind(sasl => $sasl);
if ($bind_res->code) {
print "Bind problem: code ".$bind_res->code.", error
".$bind_res->error."\n";
} else {
print "Bind successful"."\n";
}
Output:
Mechanism: GSSAPI
Bind problem: code 82, error No SASL mechanism found
at C:/Perl64/site/lib/Authen/SASL.pm line 77.
at C:/Perl64/site/lib/Net/LDAP.pm line 460.
I'm using ActiveState Perl 5.20 .
C:\Perl64\site\lib\Authen\SASL\Perl\GSSAPI.pm is there.
But also "require Authen::SASL::Perl::GSSAPI;" fails:
Can't locate GSSAPI.pm in @INC (you may need to install the GSSAPI
module) (@INC
contains: C:/Perl64/site/lib C:/Perl64/lib .) at
C:/Perl64/site/lib/Authen/SASL
/Perl/GSSAPI.pm line 10, <DATA> line 751.
BEGIN failed--compilation aborted at
C:/Perl64/site/lib/Authen/SASL/Perl/GSSAPI.
pm line 10, <DATA> line 751.
The reason is probably that line 10 contains "use GSSAPI;".
According to http://code.activestate.com/ppm/GSSAPI/ : GSSAPI couldn't
be compiled for Windows.
http://www.perlmonks.org/?node_id=851947 describes the same problem but
doesn't offer a solution.
Is there a solution? Is there another way (e.g. another module than
Authen::SASL) to get this working?
Regards, Jochen Keutel.
Achim Grolms
Feb 18, 2015, 4:00:02 PM2/18/15
to perl...@perl.org
On Wednesday 18 February 2015, Jochen Keutel wrote:
> The reason is probably that line 10 contains "use GSSAPI;".
>
> According to http://code.activestate.com/ppm/GSSAPI/ : GSSAPI couldn't
> be compiled for Windows.
Yes and No.
> The reason is probably that line 10 contains "use GSSAPI;".
>
> According to http://code.activestate.com/ppm/GSSAPI/ : GSSAPI couldn't
> be compiled for Windows.
Yes, it can be compiled on Windows linking against a GSSAPI implementation on
Windows, for example MIT Kerberos. In GSSAPI sourcetree run
perl Makefile.PL --help
to get configuration-help.
In that case you additionally must configure your krb5.conf file with the KDC
you use and run 'ktpass' to get a TGT.
No, because GSSAPI implementation like MIT Kerberos must be installed as a
prerequierement on the Windows machine, Active State has a problem how to
build and ship this module with ppm.
> http://www.perlmonks.org/?node_id=851947 describes the same problem but
> doesn't offer a solution.
>
> Is there a solution? Is there another way (e.g. another module than
> Authen::SASL) to get this working?
1. to make use un the windows native GSSAPI-interface (called 'SSPI'), as
Win32::IntAuth does,
2. and wrap a Authen::SASL adapter around it so Net::LDAP can make use of it.
Sorry I did not do this task in the past.
Best Regards,
Achim
Keutel, Jochen (mlists)
Feb 19, 2015, 10:00:02 AM2/19/15
to perl...@perl.org
Hello,
thank you for the answer.
> I suppose the best way on Windows is
>
> 1. to make use un the windows native GSSAPI-interface (called 'SSPI'), as
> Win32::IntAuth does,
>
> 2. and wrap a Authen::SASL adapter around it so Net::LDAP can make use of it.
>
> Sorry I did not do this task in the past.
Does this mean that currently - using a native ActiveState Perl
installation and only ActiveState PPMs - there is no way to get this
working?
Or can I do this "use SSPI and wrap a Authen::SASL adapter around it"
within my Perl script?
I guess not ...
The problem is that I have several Perl scripts that have to run on a
Windows server regularly via Windows Task Scheduler. The guys in the
operating want that the scripts are running under an existing Windows
account.
They don't allow me to put a LDAP password in cleartext into a config file.
Regards, Jochen.
thank you for the answer.
> I suppose the best way on Windows is
>
> 1. to make use un the windows native GSSAPI-interface (called 'SSPI'), as
> Win32::IntAuth does,
>
> 2. and wrap a Authen::SASL adapter around it so Net::LDAP can make use of it.
>
> Sorry I did not do this task in the past.
installation and only ActiveState PPMs - there is no way to get this
working?
Or can I do this "use SSPI and wrap a Authen::SASL adapter around it"
within my Perl script?
I guess not ...
The problem is that I have several Perl scripts that have to run on a
Windows server regularly via Windows Task Scheduler. The guys in the
operating want that the scripts are running under an existing Windows
account.
They don't allow me to put a LDAP password in cleartext into a config file.
Regards, Jochen.
Achim Grolms
Feb 19, 2015, 11:15:01 AM2/19/15
to perl...@perl.org
On Thursday 19 February 2015, Keutel, Jochen (mlists) wrote:
> Does this mean that currently - using a native ActiveState Perl
> installation and only ActiveState PPMs - there is no way to get this
> working?
This means that you can build your own GSSAPI-module using
> Does this mean that currently - using a native ActiveState Perl
> installation and only ActiveState PPMs - there is no way to get this
> working?
* a C-Compiler
* Kerberos for Windows with header-files (for example MIT Kerberos)
and put it in your own ppm Package.
> Or can I do this "use SSPI and wrap a Authen::SASL adapter around it"
> within my Perl script?
implements the Authen::SASL interface an makes use of Win32::IntAuth.
I think everyone with knowledge in SASL and Kerberos/GSSAPI can do this.
If a find some sparetime within the next days I can try to start a "proof of
concept"-implementation.
> The problem is that I have several Perl scripts that have to run on a
> Windows server regularly via Windows Task Scheduler. The guys in the
> operating want that the scripts are running under an existing Windows
> account.
> They don't allow me to put a LDAP password in cleartext into a config file.
have to find a way to get a TGT when the scheduler runs the script.
This means
a) feed a keytab to kinit or
b) feed a password to kinit.
Hmmm..., perhaps the guys in operating don't understand what a keytab is, so
this is the hole you can slip through :-) :-) :-)
Best Regards,
Achim
Reply all
Reply to author
Forward
0 new messages