Secure authentication to AD
nelson at thursby.com
Thu Aug 12 08:53:52 EDT 2004
You might consider using openldap. I'm not very familiar with the Netscape
library, but I've done exactly what you want to do with openldap.
Basic flow in the client is this:
1) write a function that can prompt or obtain password info for your app
2) initialize the ldap context with ldap_init
3) set SASL properties as needed with ldap_set_option( serv,
LDAP_OPT_X_SASL_SECPROPS, (void *) gSecProps );
4) Set other ldap options not related to security (timeouts etc)
5) call ldap_sasl_interactive_bind_s and pass your function (item 1) for
interacting with sasl.
Your function that interacts with sasl will be called for various info, such
as username and password. You could be called for realm info, but I don't
think the current cyrus gssapi stuff does that.
One other thing - you need a sasl plug-in that does gssapi. This isn't part
of the ldap libraries, and it isn't part of the kerberos libraries either.
It should be part of your sasl library but it doesn't always come that way
on all platforms.
Since you need to use Kerberos creds that are possibly different from the
ones a user may have as a result of logging in, you might need to set an
environment variable to use a different credential cache, although this
would be very unfortunate since it breaks the whole concept of single sign
on. You might consider making this feature a user option. Using an
alternate credential cache should be part of the kerberos library, so look
there for further info. Also, there should be a gss_krb5_ccache_name that
is not really part of GSSAPI (Am I wrong?) that helps the gss code know what
credential cache to use.
> From: "Pal, Dmitri" <dpal at rsasecurity.com>
> Date: Wed, 11 Aug 2004 18:42:55 -0400
> To: <krbdev at mit.edu>
> Subject: Secure authentication to AD
> I have the following issue:
> a) Active directory
> b) User login and password
> c) Free Netscape LDAPv3 C library that has been downloaded couple years ago
> a) Connect to Active directory securely and get some information
> b) Use a simple solution (does not seem to fly though...)
> I tried binding to LDAP with a simple login and password bind and that works
> until the Active Directory is hardened. With simple bind the password is sent
> in clear and this is not acceptable.
> So I need to do it in a secure way.
> Obvious choice is SASL. Investigating further I realised that the industry
> standard and the SASL method implemented by Microsoft is GSSAPI-Kerberosv5.
> Am I on the right track?
> Assuming yes and moving forward.
> I was looking around for some good explanation of how the things work
> together. But I do not have a clear view.
> I looked at the RFCs, different code samples, diagrams, flow chars etc.
> The picture that I now have in mind is following:
> SASL is just a pipe between the client and server.
> GSSAPI is responsible for creating the credential that is sent through SASL to
> Active Directory.
> As far as I understand the Active Directory is my KDC in this case.
> So I initialize gss context using GSS api. That crerates some data that is
> sent to the AD via LDAP SASL bind. Server cracks this data using GSS api on
> its side and creates TGT ticket which it sends back (encrypted with user
> password). Correct?
> But now what? Where do I need to supply the password?
> I have not found any place in any function in GSSAPI (may be I have not looked
> deeply enough)
> where I need to pass in the password for the user account?
> As fas as I understand the GSSAPI Kerberosv5 implementation should be self
> contained - i.e. internally it does not do any communication with KDC. All the
> credential information is passed in, it does the processing signing, etc. and
> creates the security token that I need to send over to server through some
> (in my case LDAP SASL).
> If this is the case then the server at some point should check my password!
> This is the only thing I have!
> I cannot relay on having any other credential from previous (local)
> authentication because the software
> I am developing should be platform independent (UNIX,Linux,Windows) so the TGT
> that one can have on windows is not available on UNIX. And please do not tell
> me that to solve this problem from UNIX the only way is to install the KDC on
> UNIX and establish trust with AD - that would be too much.
> I am really looking for some example that would take login and password that
> have in posession, convert to whatever is needed using GSSAPI Kerberosv5
> method and feed it to SASL LDAP bind.
> krbdev mailing list krbdev at mit.edu
More information about the krbdev