Using GSSAPI to Authenticate to AD

neelsmail@rediffmail.com neelsmail at rediffmail.com
Thu Aug 28 09:12:15 EDT 2008 

On Aug 27, 9:39 pm, "Michael B Allen" <iop... at gmail.com> wrote:
> On Wed, Aug 27, 2008 at 4:53 AM,  <neelsm... at rediffmail.com> wrote:
> > Hi,
>
> > I want to authenticate an Active Directory User using GSSAPI. The code
> > would be in C++. To be specific here is the scenario:
>
> > 1] End user adopts/creates one or more Active Directory users using
> > any of the AD integration packages on Linux.
> > 2] In my executable, which would be always running as root, I find out
> > that I need to use AD user and authenticate using GSSAPI
> > 3] I cannot impersonate as the user because that would change user
> > context of whole process.
> > 4] Therefore, I need to somehow find out whether there is already a
> > ticket for that user available (Win32 SDK: AcquireCredentialsHandle,
> > GSSAPI: GSSAPI::Name->import?)
> > 5] If not, process would obtain one.
> > 6] Get the ticket and initialize the security context (Win32SDK:
> > InitializeSecurityContext, GSSAPI: GSSAPI::Context::init?)
> > 7] Get the token and send it for authentication
>
> > If the process is running in the user context which needs to be
> > authenticated, it's easier and I have perl implemenation of it. But in
> > this case, since process will always be running as root, I don't know
> > if there is a way I can know/get ticket for authentication.
>
> > Is there a sample/example that can, at least in parts if not
> > completely, illustrate how this can be done using C/C++ somewhere?
>
> > I found one link on MSDN but don't know whether that's the entire flow/
> > applicable:http://msdn.microsoft.com/en-us/library/ms995352.aspx
>
> > Any comments would be welcome.
>
> GSSAPI just handles authentication. That's not terribly difficult to
> do in C++ but it's not clear how you get from GSSAPI authentication to
> creating users "using any of the AD integration packages on Linux".
> There are a lot of details to creating an application like that in
> Linux. It's a lot harder than it looks.

Thanks for responding. I think I couldn't explain very clearly. The
actual importing of AD users to Linux is done by other applications
and there are lot of them out there. My question was about post user
import. For example:

- If there are already userA, userB and userC created on the linux
machine which map to AD users (I do not need to know the mechanism how
but just that they do map to AD users)
- Now, how do I initialize the security context for userB if my
process is running in root's context?

I found one more thread about this :
http://groups.google.co.in/group/comp.protocols.kerberos/browse_thread/thread/434a62ca2c65876d/9d3d8914af3befd4?hl=en&lnk=st&q=%22gss_krb5_ccache_name%22#9d3d8914af3befd4

As mentioned in the thread above, it is possible to switch to
different user security context using gss_krb5_ccache_name. There are
problems there as well though:

- If you want switch user contexts multiple times, in multiple
threads, application's performance gets affected because initializing
security context (or one of the steps in it) is a lengthy operation -
on my setup it takes almost 5 seconds.
- I believe the switch has to be synchronized so that unless
gss_init_sec_context in one thread completes, I cannot call
gss_krb5_ccache_name from anywhere else in my application - that
increases the delay in multi threaded application even more.

That was the reason why I wanted to know whether gss_init_sec_context
somehow accepts a local parameter so that initializing security
contexts of different users can be indepenent of each other.

Thanks again,
-Neel.

>
> Incidentally there is a product called Plexcel that has worked out all
> of these details (see the link in my signature - it's also free for up
> to 25 users). With the Plexcel PHP extension you can easily create a
> web page that will authenticate someone using SPNEGO (or explicit
> Kerberos login) and then use the delegated credential to create users,
> change passwords, etc [1]. Or you can do it from the commandline. In
> fact I have a very nice little Plexcel commandline script for creating
> users that a wrote for someone else that I would be happy to give you.
> If you want a copy, or if you have any questions about Plexcel feel
> free to contact me directly through IOPLEX Software support.
>
> Mike
>
> [1] To give you an idea of what the code would look like look at the
> example on this page:http://www.ioplex.com/api/plexcel_add_object.html
>
> --
> Michael B Allen
> PHP Active Directory SPNEGO SSOhttp://www.ioplex.com/- Hide quoted text -
>
> - Show quoted text -

More information about the Kerberos mailing list