[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ldap traffic encryption with kerberos



Hi Kent,

The first step towards any Kerberos authentication is
obtaining a Kerberos ticket from your KDC. Do you have
a KDC which you can obtain a ticket from? Are both
your ldap client (ldapsearch) and your ldap server
Kerberos aware? For your client, you'd need to compile
it with SASL and GSSAPI support (requires installing
and or building Cyrus SASL and Heimdal or Kerberos
MIT). Or, you can use the Samba hack.

I based my code off of the same function you referred
to, with the same arguments. I realize that the
function called has the word SASL in it, but take my
word that I do not have Cyrus SASL installed on my
machine, and that I did not compile OpenLDAP with SASL
support. It just works. I'm not an expert on the
subject, so I didn't question it. I used to use SASL,
for which I mimicked what I saw in ldapsearch. But I
ran into some DNS related issues when trying to take
my ldap tool to other networks/companies, and so I
instead mimicked Samba's code just because it has
proven more robust. Note that I've only tried this
against Windows 2000 domain controllers, so I don't
know how well it would work against other types of
servers that support Kerberos authentication.

Note the following quote taken from a presentation
given by Andrew Tridgell at the 2002 CIFS plugfest:

"I found the default GSSAPI/SASL code in Cyrus-SASL
quite troublesome. In order to make Samba ADS reliable
and robust to poor DNS configurations I ended up
re-implementing our own SASL code inside Samba. The
main thing this gained was the ability to directly
specify the kerberos principal to use in GSSAPI".

I wish you luck.

--Dave

--- Kent_Wu@trendmicro.com wrote:
> Dave:
> 
> 	Can you tell me how to use ldapsearch to do the
> Kerberos authentication with the server, it looks
> like in my Solaris 8 machine the -M option only
> supports CRAM-MD5 so far.
> 
> 	And I found an samba source file sasl.c which has a
> function 
> static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT
> *ads) to do the kerberos authentication, however it
> mixes the usage of ldap_sasl_bind_s() and GSSAPI to
> do the job. You said there is a "net" example which
> uses GSSAPI only, can you enlighten me more on this?
> 
> Thx.
> 
> Kent
> 
> -----Original Message-----
> From: Dave Snoopy [mailto:kingsnoopy7@yahoo.com]
> Sent: Friday, May 09, 2003 10:04 AM
> To: openldap
> Subject: ldap traffic encryption with kerberos
> 
> 
> When I use the ldapsearch tool, along with Kerberos
> authentication with the server, I notice that the
> traffic is encrypted.
> 
> I recently wrote my own tool that uses the same
> openldap libraries. Following the Samba 3.0 "net"
> example, I bypassed SASL and just use GSSAPI
> directly.
> I am able to perform Kerberos authentication with
> the
> server just fine, but for some reason my traffic is
> *not* encrypted. 
> 
> Does anyone have any idea why? Is there an option I
> need to set for my LDAP connection, or this purely a
> function of the lower level
> authentication/encryption
> library (in this case Heimdal Kerberos)? If the
> latter, does anyone have any ideas?
> 
> Thanks,
> Dave
> 
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo.
> http://search.yahoo.com

__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com