I managed to perform an LDAP SASL bind over GSSAPI, using ldap_sasl_bind_s
. For those interested, here are some pointers.
For an abstract description of the actions a client and server need to perform during a GSSAPI SASL authentication, "The Kerberos V5 ("GSSAPI") Simple Authentication and Security Layer (SASL) Mechanism" RFC should be read; specifically, the 'Client Side of Authentication Protocol Exchange' section is of interest, because it gives an indication of the sequence of actions we need to perform to successfully bind to an LDAP server over Kerberos.
The credentials ldap_sasl_bind_s
expects - their form and their meaning - depend on the actual authentication mechanism being used, which in our case is Kerberos.
In the Microsoft SDK, Kerberos is available through SSPI - which is roughly the Microsoft implementation of GSSAPI; the methods that are relevant for our particular case are: AcquireCredentialsHandle
, InitializeSecurityContext
, DecryptMessage
, EncryptMessage
An LDAP SASL bind over Kerberos has 3 phases.
Phase 1
Call AcquireCredentialsHandle
and InitializeSecurityContext
.
Important notes here:
- pass to
AcquireCredentialsHandle
a pointer to a SEC_WINNT_AUTH_IDENTITY
structure containing the actual credentials (realm, username, password), or NULL
if the credentials of the current thread are to be used
- the target name should be an SPN mapped to the account under which the LDAP server is running
- when calling
InitializeSecurityContext
, mutual authentication must be requested.
If all important arguments are correct - valid credentials, valid SPN, NULL
input token - the InitializeSecurityContext
call should return SEC_I_CONTINUE_NEEDED
and properly fill the output token. The contents of this output token should go in the BERVAL
structure ldap_sasl_bind_s
expects as client credentials.
Call ldap_sasl_bind_s
with the output token from InitializeSecurityContext
as client credentials. If all arguments are correct - empty DN, GSSAPI as the mechanism name - the actual call should return LDAP_SUCCESS
and the most recent LDAP error for the LDAP session should be LDAP_SASL_BIND_IN_PROGRESS
.
As a side note, the most recent LDAP error for an LDAP session can be discovered by calling ldap_get_option
on the session, with LDAP_OPT_ERROR_NUMBER
as the option.
Phase 2
After the successful call to ldap_sasl_bind_s
, its last argument points to a BERVAL
structure containing the server credentials. The content of this BERVAL
structure should now be used as the input token for the second call to InitializeSecurityContext
.
This second call to InitializeSecurityContext
should return SEC_OK
and an empty output token.
This empty output token should be used as the client credentials for another call to ldap_sasl_bind_s
. This second call to ldap_sasl_bind_s
should return LDAP_SUCCESS
, with the most recent LDAP error for the LDAP session being LDAP_SASL_BIND_IN_PROGRESS
.
Phase 3
After the second successful call to ldap_sasl_bind_s
, its last argument points to a BERVAL
structure containing server data. This server data should be given as input to DecryptMessage
. As specified in the previously mentioned RFC, the decrypted data must be 4 bytes long.
The client should build its reply according to the information in the same RFC.
Note: In my case, I omitted the authorization id mentioned in the RFC. To my understanding, an empty authorization id leads to the authentication id being used for authorization as well.
The reply the client built should then be passed as input to EncryptMessage
. The output of the EncryptMessage
call should then be passed as the client credentials for the third and final call to ldap_sasl_bind_s
.
Note: The MSDN documentation for using EncryptMessage
under Kerberos seems to be incomplete. Google's Code Search should assist with a working example. Also, for a working example of the flow described above, Samba's source code can be consulted.