0

I am doing development to perform Kerberos authentication from openldap with cyrus-sasl-2.1.26 libraries. However I am new to this area. Hence I have many queries. Can I get some leads here. I see the gssapi.c in libldap has wrappers which invoke core APIs of the cyrus-sasl library to do the GSS-SPNEGO or Kerberos auth. I also see that principal name is guessed from root DSE here. I have a certificate whose UPN is the Kerberos principal. Should I pass the UPN directly as principal name to gss import functions. Or is there a way to provide the entire certificate to the cyrus libraries to send it to server as part of AS request?

sreedhar
  • 21
  • 4
  • In C or command line? – Michael-O Nov 25 '20 at 12:34
  • C. Need to do it programatically – sreedhar Nov 25 '20 at 17:33
  • Hi Micheal, not sure why. It seems we lost all information on this site post Nov 25th. Were you able to see my last query? – sreedhar Dec 08 '20 at 07:16
  • Hi Micheal, I succeeded in obtaining a TGT ticket cached with kinit. Could you please send me the code that sends TGS and AP_REQ with LDAP bind. I think I lost what you had sent earlier. – sreedhar Jan 05 '21 at 18:51
  • OpenLDAP never does this. OpenLDAP => Cyrus SASL => MIT Kerberos => KDC. You cannot really do this on your o wn. – Michael-O Jan 05 '21 at 19:52
  • Sorry missed this for a month. Was in a different activity. But before this you sent a program to do an sasl interactive bind from openldap after kinit gets kerberos ticket. How does that authenticate if it does not send the TGS and AP_REQ? – sreedhar Feb 07 '21 at 10:36
  • I never said that it does not. – Michael-O Feb 07 '21 at 21:48
  • Ok so I get it like the code for ldap sasl interactive bind, sends TGS and AP_REQ without interacting with Cyrus SASL library. Is that right? – sreedhar Feb 08 '21 at 06:09
  • No, non-sense. libldap -- at no point -- interacts with a KDC. Neither does Cyrus SASL. Only MIT Kerberod does. – Michael-O Feb 08 '21 at 11:37
  • Ok. So currently I have kinit creating a kerberos TGT ticket and caching it. Now to authenticate, there must be TGS req/resp and AP_REQ/AP_RESP. My understanding is before I do ldap_sasl_interactive bind, I must do send a TGS req to KDC and fetch the response. Is there an API in kerberos lib that does this ? – sreedhar Feb 08 '21 at 12:50
  • Hi Michel, I am just curious to know how the ldap_sasl_interactive_bind authenticates to LDAP server, once kinit creates the kerberos ticket as I see it is kerberos implementation that sends both TGS REQ and AP REQ. The messages documented in RFC 4556. We have a embedded target and we still face some issues on the compilation environment in resolving paths of the lutil.so which has the ldap_sasl_interactive_bind(). While we resolve this issue, I am just trying to theoretically sort this out. – sreedhar Feb 19 '21 at 18:06

0 Answers0