2

I'm currently trying to implement SASL/EXTERNAL auth for OpenLDAP client written in Golang.

By other words, I want to load the following data:

ldapsearch -Y EXTERNAL -H ldapi:// -s base -b 'olcDatabase={1}mdb,cn=config' olcSyncRepl

I'm using https://github.com/go-ldap/ldap library. Unfortunately, the library supports simple authentication only. I'm happy to implement SASL/EXTERNAL but I could not recognize how the protocol works? For example, there is https://ldap.com/ldapv3-wire-protocol-reference-bind/ CRAM-MD5 authentication process.

I want to get the same explanation for SASL/EXTERNAL.

I connected to the unix socket (ldapi://) successfully. But I don't understand what kind of commands need to send programmatically to complete authentication.

regeda
  • 21
  • 1
  • It's a bit dense, but the RFC has the SASL spec & message format: https://tools.ietf.org/html/rfc4511. Cross referencing that with the go-ldap package source may get you further along. – colm.anseo Oct 08 '19 at 02:48

1 Answers1

0

I found the solution.

First of all, you need to connect to the unix socket. Usually, the socket locates on /var/run/slapd/ldapi path.

Then you need to make a simple bind with two changes:

  1. username should be empty
  2. need specify that you want to use sasl authentication
pkt := ber.Encode(ber.ClassApplication, ber.TypeConstructed, ApplicationBindRequest, nil, "Bind Request")
pkt.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, 3, "Version"))
pkt.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, "", "User Name"))

saslAuth := ber.Encode(ber.ClassContext, ber.TypeConstructed, 3, "", "authentication")
saslAuth.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, "EXTERNAL", "SASL Mech"))
saslAuth.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, "", "SASL Cred"))

pkt.AppendChild(saslAuth)

This is the PR https://github.com/go-ldap/ldap/pull/232.

regeda
  • 21
  • 1