[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Windows SSPI, NTLMSSP and OpenLDAP with SASL/GSSAPI



Diego Morales wrote:
> Hello,
> 
> I have a proprietary windows application trying to bind on my OpenLDAP
> server using GSSAPI with NTLMSSP mechanism, instead of Kerberos. Is it
> possible to support this on a (unix) OpenLDAP server?

Yes, but this has nothing to do with OpenLDAP software. All of SASL/GSSAPI is
handled by the Cyrus SASL library. The Cyrus GSSAPI implementation depends on
the underlying GSSAPI library, which may be provided by MIT Kerberos or
Heimdal Kerberos. The Heimdal library definitely supports GSSAPI/NTLMSSP, I'm
not sure if the MIT library does or not.

It sounds like your installation is not using Heimdal.

> Another option would be to make the software use GSSAPI + Kerberos
> instead. Let me further explain:
> 
> I have a working samba + openldap setup with many windows
> workstations. The said proprietary app has LDAP auth support, and
> according to its maker it works with Active Directory and Novell NDS.
> It does not support simple bind, nor LDAPS, (and probably not StartTLS
> either). We don't have access to the app's source code and help from
> its developers/tech-support is pretty unavailable.
> 
> Checking slapd's debug, we saw the app trying to use SASL+GSSAPI to
> bind. So we went on and configured a minimal Kerberos setup and
> SASL+GSSAPI support for OpenLDAP on a test ldap server. It seems to be
> working perfectly. We acquire a ticket and run ldapsearch from another
> machine using -Y GSSAPI bind and it works. Logs from slapd debug seem
> ok.
> 
> But that evil app still fails. Here's a piece from slapd debug log:
> 
> conn=1000 op=1 do_bind
> ber_scanf fmt ({imt) ber:
> ber_dump: buf=0x7f73f6af8810 ptr=0x7f73f6af8813 end=0x7f73f6af8856 len=67
>   0000:  60 84 00 00 00 3d 02 01  03 04 00 a3 84 00 00 00   `....=..........
>   0010:  32 04 06 47 53 53 41 50  49 04 28 4e 54 4c 4d 53   2..GSSAPI.(NTLMS
>   0020:  53 50 00 01 00 00 00 97  82 08 e2 00 00 00 00 00   SP..............
>   0030:  00 00 00 00 00 00 00 00  00 00 00 06 01 b1 1d 00   ................
>   0040:  00 00 0f                                           ...
> ber_scanf fmt ({m) ber:
> ber_dump: buf=0x7f73f6af8810 ptr=0x7f73f6af881e end=0x7f73f6af8856 len=56
>   0000:  00 84 00 00 00 32 04 06  47 53 53 41 50 49 04 28   .....2..GSSAPI.(
>   0010:  4e 54 4c 4d 53 53 50 00  01 00 00 00 97 82 08 e2   NTLMSSP.........
>   0020:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
>   0030:  06 01 b1 1d 00 00 00 0f                            ........
> ber_scanf fmt (m) ber:
> ber_dump: buf=0x7f73f6af8810 ptr=0x7f73f6af882c end=0x7f73f6af8856 len=42
>   0000:  00 28 4e 54 4c 4d 53 53  50 00 01 00 00 00 97 82   .(NTLMSSP.......
>   0010:  08 e2 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
>   0020:  00 00 06 01 b1 1d 00 00  00 0f                     ..........
> ber_scanf fmt (}}) ber:
> ber_dump: buf=0x7f73f6af8810 ptr=0x7f73f6af8856 end=0x7f73f6af8856 len=0
> 
>>>> dnPrettyNormal: <>
> <<< dnPrettyNormal: <>, <>
> conn=1000 op=1 BIND dn="" method=163
> do_bind: dn () SASL mech GSSAPI
> ==> sasl_bind: dn="" mech=GSSAPI datalen=40
> SASL [conn=1000] Failure: GSSAPI Error: An unsupported mechanism was
> requested (Unknown error)
> send_ldap_result: conn=1000 op=1 p=3
> send_ldap_result: err=49 matched="" text="SASL(-13): authentication
> failure: GSSAPI Failure: gss_accept_sec_context"
> send_ldap_response: msgid=11 tag=97 err=49
> ber_flush2: 87 bytes to sd 13
>   0000:  30 55 02 01 0b 61 50 0a  01 31 04 00 04 49 53 41   0U...aP..1...ISA
>   0010:  53 4c 28 2d 31 33 29 3a  20 61 75 74 68 65 6e 74   SL(-13): authent
>   0020:  69 63 61 74 69 6f 6e 20  66 61 69 6c 75 72 65 3a   ication failure:
>   0030:  20 47 53 53 41 50 49 20  46 61 69 6c 75 72 65 3a    GSSAPI Failure:
>   0040:  20 67 73 73 5f 61 63 63  65 70 74 5f 73 65 63 5f    gss_accept_sec_
>   0050:  63 6f 6e 74 65 78 74                               context
> ldap_write: want=87, written=87
>   0000:  30 55 02 01 0b 61 50 0a  01 31 04 00 04 49 53 41   0U...aP..1...ISA
>   0010:  53 4c 28 2d 31 33 29 3a  20 61 75 74 68 65 6e 74   SL(-13): authent
>   0020:  69 63 61 74 69 6f 6e 20  66 61 69 6c 75 72 65 3a   ication failure:
>   0030:  20 47 53 53 41 50 49 20  46 61 69 6c 75 72 65 3a    GSSAPI Failure:
>   0040:  20 67 73 73 5f 61 63 63  65 70 74 5f 73 65 63 5f    gss_accept_sec_
>   0050:  63 6f 6e 74 65 78 74                               context
> conn=1000 op=1 RESULT tag=97 err=49 text=SASL(-13): authentication
> failure: GSSAPI Failure: gss_accept_sec_context
> 
> (btw, this is slapd 2.4.21, from a 10.04 ubuntu package)
> 
> I believe the application uses Windows SSPI, and I known SSPI supports
> several GSSAPI mechanisms, including NTLMSSP and Kerberos. I'm afraid
> Windows is auto selecting NTLMSSP cause its running on a pre-windows
> 2000 domain (non AD, in this case, Samba). Hoping to make windows use
> Kerberos instead, I've also tried publishing some SRV records on DNS.
> I have sniffed DNS queries from the workstation while the app tries to
> login, caught only one _ldap._tcp SRV request, registered that ... and
> nothing has changed.
> 
> I don't know how could I force the app to use GSSAPI + kerberos
> without touching its source code. And I can't find  much about a unix
> NTLM(SSP)-as-a-mechanism-of-GSSAPI implementation. Maybe there's
> something inside samba4 or in Likewise software, but I haven't found
> it yet.
> 
> So ... does somebody have any advice or info?
> 
> Thanks in advance,
> 
> 
> Diego Morales
> +55 (51) 3024-3568
> Propus Informática LTDA.
> http://www.propus.com.br
> 
> 


-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/