1

I would like to use ldapsearch for an authentication test to a remote Windows server from a Linux instance (Amazon Linux OS). Kerberos bind is working via GSS-API installed from package cyrus-sasl-gssapi, is there an equivalent package that can be used for GSS-SPNEGO? I would like the ability to fall back to NTLM authentication in case Kerberos is not working.

The server supports both GSSAPI and GSS-SPNEGO but from the client side it appears that GSS-SPNEGO is not available. Output from ldapsearch is shown below:

ldapsearch -H "ldap://$HOST_NAME" -b "" -s base -Y GSS-SPNEGO
    ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
        additional info: SASL(-4): no mechanism available: No worthy mechs found

Using cyrus-sasl-ntlm did not work because it appears the server does not support this:

ldapsearch -H "ldap://$HOST_NAME" -b "" -s base -Y NTLM
SASL/NTLM authentication started
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
    additional info: 00002027: LdapErr: DSID-0C0905ED, comment: Invalid Authentication method, data 0, v2580

Is it possible to use SPNEGO bind with ldapsearch? Or is there another way to authenticate over NTLM?

Grant
  • 11
  • 2
  • I would really recommend _not_ falling back to NTLM authentication, not automatically and especially not over a plaintext LDAP connection. If you're in a situation where Kerberos can't be made to work, then use 'simple bind' (plain password) with `-x`, either over LDAPS or with StartTLS. – user1686 Apr 09 '21 at 11:26
  • Does your distribution install the Cyrus SASL `pluginviewer` tool (might be named `saslpluginviewer2` or something like that)? When you run it with the `-c` option, does it list both mechanisms for the 'gssapiv2' plugin or only one? (Which version of libsasl is it, anyway?) – user1686 Apr 09 '21 at 11:27

1 Answers1

1

@Grant,

You need to change the -Y option to "-Y GSSAPI"

For example: ldapsearch -H ldap://example.com -b 'DC=example,DC=com' -Y GSSAPI

smh
  • 81
  • 1
  • 1