Secure authentication to AD
frank.balluffi at db.com
Thu Aug 12 09:40:26 EDT 2004
As Paul Nelson said (I accidentally deleted his message), it is possible
to access Active Directory via LDAP using SASL from Linux and UNIX using
OpenLDAP, Cyrus SASL and MIT Kerberos. Please note that you need to run
kinit before running your program. Here are two examples:
"Pal, Dmitri" <dpal at rsasecurity.com>
Sent by: krbdev-bounces at mit.edu
08/11/2004 06:42 PM
To: <krbdev at mit.edu>
Subject: Secure authentication to AD
I have the following issue:
a) Active directory
b) User login and password
c) Free Netscape LDAPv3 C library that has been downloaded couple years
a) Connect to Active directory securely and get some information
b) Use a simple solution (does not seem to fly though...)
I tried binding to LDAP with a simple login and password bind and that
works until the Active Directory is hardened. With simple bind the
password is sent in clear and this is not acceptable.
So I need to do it in a secure way.
Obvious choice is SASL. Investigating further I realised that the industry
standard and the SASL method implemented by Microsoft is
Am I on the right track?
Assuming yes and moving forward.
I was looking around for some good explanation of how the things work
together. But I do not have a clear view.
I looked at the RFCs, different code samples, diagrams, flow chars etc.
The picture that I now have in mind is following:
SASL is just a pipe between the client and server.
GSSAPI is responsible for creating the credential that is sent through
SASL to Active Directory.
As far as I understand the Active Directory is my KDC in this case.
So I initialize gss context using GSS api. That crerates some data that is
sent to the AD via LDAP SASL bind. Server cracks this data using GSS api
on its side and creates TGT ticket which it sends back (encrypted with
user password). Correct?
But now what? Where do I need to supply the password?
I have not found any place in any function in GSSAPI (may be I have not
looked deeply enough)
where I need to pass in the password for the user account?
As fas as I understand the GSSAPI Kerberosv5 implementation should be self
contained - i.e. internally it does not do any communication with KDC. All
the credential information is passed in, it does the processing signing,
etc. and creates the security token that I need to send over to server
through some mechanizm
(in my case LDAP SASL).
If this is the case then the server at some point should check my
This is the only thing I have!
I cannot relay on having any other credential from previous (local)
authentication because the software
I am developing should be platform independent (UNIX,Linux,Windows) so the
TGT that one can have on windows is not available on UNIX. And please do
not tell me that to solve this problem from UNIX the only way is to
install the KDC on UNIX and establish trust with AD - that would be too
I am really looking for some example that would take login and password
that have in posession, convert to whatever is needed using GSSAPI
Kerberosv5 method and feed it to SASL LDAP bind.
krbdev mailing list krbdev at mit.edu
More information about the krbdev