Secure authentication to AD

Pal, Dmitri dpal at rsasecurity.com
Wed Aug 11 18:42:55 EDT 2004 

Hi,

I have the following issue:

Given:
a) Active directory
b) User login and password
c) Free Netscape LDAPv3 C library that has been downloaded couple years ago

Goal:
a) Connect to Active directory securely and get some information
b) Use a simple solution (does not seem to fly though...)

I tried binding to LDAP with a simple login and password bind and that works until the Active Directory is hardened. With simple bind the password is sent in clear and this is not acceptable.
So I need to do it in a secure way.

Obvious choice is SASL. Investigating further I realised that the industry standard and the SASL method implemented by Microsoft is GSSAPI-Kerberosv5.
Am I on the right track?

Assuming yes and moving forward. 

I was looking around for some good explanation of how the things work together. But I do not have a clear view.
I looked at the RFCs, different code samples, diagrams, flow chars etc.
The picture that I now have in mind is following:

SASL is just a pipe between the client and server.
GSSAPI is responsible for creating the credential that is sent through SASL to Active Directory.

As far as I understand the Active Directory is my KDC in this case.

So I initialize gss context using GSS api. That crerates some data that is sent to the AD via LDAP SASL bind. Server cracks this data using GSS api on its side and creates TGT ticket which it sends back (encrypted with user password). Correct?

But now what? Where do I need to supply the password? 
I have not found any place in any function in GSSAPI (may be I have not looked deeply enough)
where I need to pass in the password for the user account?

As fas as I understand the GSSAPI Kerberosv5 implementation should be self contained - i.e. internally it does not do any communication with KDC. All the credential information is passed in, it does the processing signing, etc. and creates the security token that I need to send over to server through some mechanizm
(in my case LDAP SASL). 

If this is the case then the server at some point should check my password!
This is the only thing I have!

I cannot relay on having any other credential from previous (local) authentication because the software 
I am developing should be platform independent (UNIX,Linux,Windows) so the TGT that one can have on windows is not available on UNIX. And please do not tell me that to solve this problem from UNIX the only way  is to install the KDC on UNIX and establish trust with AD - that would be too much.

I am really looking for some example that would take  login and password that have in posession, convert to whatever is needed using GSSAPI Kerberosv5 method and feed it to SASL LDAP bind.

Help!!!

Thanks
Dmitri

More information about the krbdev mailing list