0

Am dealing with an issue where I connect to a user provided LDAP server but sometimes the hostname is not available for the server. I either have the IP Address or the hostname at a give n time.

Am able to fetch IP address from the given hostname but there is no DNS mapping available in my /etc/hosts for me to obtain hostname from IP Address

I couldnt find any method to avoid hostname being used in the authentication process and just proceed with IP Address. Wanted to check if this is possible?

Can I tell kerberos to skip the hostname and only authenticate using IP address?

I tried most of the options provided in https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#domain-realm but nothing helped me skip the hostname check.

context = LDAPConnectionPtr(new LDAPConnection(authSrv.getIP(), authSrv.getPort()));
context->saslInteractiveBind("GSSAPI", LDAP_SASL_INTERACTIVE, new Sasl());

Following is error that am facing

SASL/GSSAPI authentication started
Sasl::handleInteractions()
SASL Prompt: Please enter your authorization name
Caught LDAP Bind exception: Error -2: Local error
Vicky
  • 61
  • 10

1 Answers1

1

You cannot use IP addresses with Kerberos, it must be hostnames. More over, you don't do interactive bind in scripts unless a human uses it permanently. Use the non-interactive bind (hence the error you see).

This perfectly works in Python:

url = 'ldap://ad.company.com'
directory = ldap.initialize(url)
directory.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3)
Michael-O
  • 18,123
  • 6
  • 55
  • 121
  • No the bind function works properly when a valid hostname is provided. Its just breaks down if I try with a valid ip, username, password, realm, domain and AD path and insert a dummy hostname. Also if I mention in my /etc/hosts and set rdns = true in krb5.conf, things work as expected. But I may not always have the reverse DNS mapped at production hence was trying with just the IP address – Vicky Jul 01 '19 at 15:33
  • Again, you cannot use IP addresses, even if you disable reverse DNS lookup in openldap (which it does, at least `ldapsearch(1)`) and you cannot provide a principal and a passsword. Cyrus SASL does not support (`gss_acquire_cred_with_password()`). Look into the source code and you will see. YOU must provide the `gss_cred_t`. – Michael-O Jul 01 '19 at 16:57