Secure authentication to AD

Frank Balluffi frank.balluffi at
Thu Aug 12 09:40:26 EDT 2004


As Paul Nelson said (I accidentally deleted his message), it is possible 
to access Active Directory via LDAP using SASL from Linux and UNIX using 
OpenLDAP, Cyrus SASL and MIT Kerberos. Please note that you need to run 
kinit before running your program. Here are two examples:


"Pal, Dmitri" <dpal at>
Sent by: krbdev-bounces at
08/11/2004 06:42 PM

        To:     <krbdev at>
        Subject:        Secure authentication to AD


I have the following issue:

a) Active directory
b) User login and password
c) Free Netscape LDAPv3 C library that has been downloaded couple years 

a) Connect to Active directory securely and get some information
b) Use a simple solution (does not seem to fly though...)

I tried binding to LDAP with a simple login and password bind and that 
works until the Active Directory is hardened. With simple bind the 
password is sent in clear and this is not acceptable.
So I need to do it in a secure way.

Obvious choice is SASL. Investigating further I realised that the industry 
standard and the SASL method implemented by Microsoft is 
Am I on the right track?

Assuming yes and moving forward. 

I was looking around for some good explanation of how the things work 
together. But I do not have a clear view.
I looked at the RFCs, different code samples, diagrams, flow chars etc.
The picture that I now have in mind is following:

SASL is just a pipe between the client and server.
GSSAPI is responsible for creating the credential that is sent through 
SASL to Active Directory.

As far as I understand the Active Directory is my KDC in this case.

So I initialize gss context using GSS api. That crerates some data that is 
sent to the AD via LDAP SASL bind. Server cracks this data using GSS api 
on its side and creates TGT ticket which it sends back (encrypted with 
user password). Correct?

But now what? Where do I need to supply the password? 
I have not found any place in any function in GSSAPI (may be I have not 
looked deeply enough)
where I need to pass in the password for the user account?

As fas as I understand the GSSAPI Kerberosv5 implementation should be self 
contained - i.e. internally it does not do any communication with KDC. All 
the credential information is passed in, it does the processing signing, 
etc. and creates the security token that I need to send over to server 
through some mechanizm
(in my case LDAP SASL). 

If this is the case then the server at some point should check my 
This is the only thing I have!

I cannot relay on having any other credential from previous (local) 
authentication because the software 
I am developing should be platform independent (UNIX,Linux,Windows) so the 
TGT that one can have on windows is not available on UNIX. And please do 
not tell me that to solve this problem from UNIX the only way  is to 
install the KDC on UNIX and establish trust with AD - that would be too 

I am really looking for some example that would take  login and password 
that have in posession, convert to whatever is needed using GSSAPI 
Kerberosv5 method and feed it to SASL LDAP bind.



krbdev mailing list             krbdev at

More information about the krbdev mailing list