Hadmut Danisch
2014-06-30 15:23:35 UTC
Hi,
I am just trying to use ldap with kerberos to connect to a Microsoft Active
Directory Server. Works pretty well with command line tools (ldapsearch),
but with ruby I always run into the error message
Error gss_init_sec_context did not return GSS_S_COMPLETE
Unfortunately, I could not find a precise documentation of what exact
behaviour NET::LDAP.new expects from the challenge_response function. By
the way, there are two gems available, net-ldap-0.6.1 and net-ldap2-0.5.0,
but they differ only in some specs and docs. Why is there two versions, and
which one should I use?
What I am trying to do is
cli = GSSAPI::Simple.new(adserver,'ldap')
token = cli.init_context.force_encoding('binary')
puts "OUT #{token.size}"
ldap = Net::LDAP.new :host => adserver,
:auth => {
:method => :sasl,
:mechanism => 'GSSAPI',
:initial_credential => token,
:challenge_response => lambda do |inp|
puts "INP #{inp.size}"
case out = cli.init_context(inp)
when true ; puts "OUT #{out}" ; out
when String ; puts "OUT #{out.size}" ;
out.force_encoding('binary')
else warn "init context class #{out.class}"
end
end
}
puts "Starting Query"
ldap.search(:base => "") do |entry|
puts entry
end
(where adserver is the name of the Active Directory Server), which almost
seems to work, at least it goes through some steps of the kerberos protocol
and prints
OUT 1426
Starting Query
INP 156
OUT true
INP 32
Error gss_init_sec_context did not return GSS_S_COMPLETE
GSSAPI::GssApiError
So the local gssapi object seems to find a success (since it replies with
true instead of a string), but NET::LDAP tries to proceed with sasl. I am
not sure why the gssapi part returns true, but lateron complains about not
getting GSS_S_COMPLETE.
I tried to compare this with a successfull ldapsearch and found that
ldapsearch does a
-> bindRequest(1) sasl
<- saslBindInProgress
-> bindRequest(2) sasl
<- sasBindInProgress
-> bindRequest(3) sasl
<- bindResponse(3) success
-> SASL GSS-API Privacy; payload
while the ruby version aborts after the fourth step. I also found that both
tell the Server that they wish to use GSSAPI Mechanisms in the third step,
but the ruby version has three 01 bytes after GSSAPI, while the ldapsearch
chat doesn't. Wireshark complains that these three 01 bytes make the paket
invalid. Maybe that's an encoding problem of net-ldap.
Unfortunately, both debugging and documentation for both gssapi and ruby
net-ldap are poor for this kind of use. I am not yet sure whether I have a
problem with the gssapi or the net-ldap part.
Has anyone working code to authenticate with kerberos against an AD server?
regards
Hadmut
I am just trying to use ldap with kerberos to connect to a Microsoft Active
Directory Server. Works pretty well with command line tools (ldapsearch),
but with ruby I always run into the error message
Error gss_init_sec_context did not return GSS_S_COMPLETE
Unfortunately, I could not find a precise documentation of what exact
behaviour NET::LDAP.new expects from the challenge_response function. By
the way, there are two gems available, net-ldap-0.6.1 and net-ldap2-0.5.0,
but they differ only in some specs and docs. Why is there two versions, and
which one should I use?
What I am trying to do is
cli = GSSAPI::Simple.new(adserver,'ldap')
token = cli.init_context.force_encoding('binary')
puts "OUT #{token.size}"
ldap = Net::LDAP.new :host => adserver,
:auth => {
:method => :sasl,
:mechanism => 'GSSAPI',
:initial_credential => token,
:challenge_response => lambda do |inp|
puts "INP #{inp.size}"
case out = cli.init_context(inp)
when true ; puts "OUT #{out}" ; out
when String ; puts "OUT #{out.size}" ;
out.force_encoding('binary')
else warn "init context class #{out.class}"
end
end
}
puts "Starting Query"
ldap.search(:base => "") do |entry|
puts entry
end
(where adserver is the name of the Active Directory Server), which almost
seems to work, at least it goes through some steps of the kerberos protocol
and prints
OUT 1426
Starting Query
INP 156
OUT true
INP 32
Error gss_init_sec_context did not return GSS_S_COMPLETE
GSSAPI::GssApiError
So the local gssapi object seems to find a success (since it replies with
true instead of a string), but NET::LDAP tries to proceed with sasl. I am
not sure why the gssapi part returns true, but lateron complains about not
getting GSS_S_COMPLETE.
I tried to compare this with a successfull ldapsearch and found that
ldapsearch does a
-> bindRequest(1) sasl
<- saslBindInProgress
-> bindRequest(2) sasl
<- sasBindInProgress
-> bindRequest(3) sasl
<- bindResponse(3) success
-> SASL GSS-API Privacy; payload
while the ruby version aborts after the fourth step. I also found that both
tell the Server that they wish to use GSSAPI Mechanisms in the third step,
but the ruby version has three 01 bytes after GSSAPI, while the ldapsearch
chat doesn't. Wireshark complains that these three 01 bytes make the paket
invalid. Maybe that's an encoding problem of net-ldap.
Unfortunately, both debugging and documentation for both gssapi and ruby
net-ldap are poor for this kind of use. I am not yet sure whether I have a
problem with the gssapi or the net-ldap part.
Has anyone working code to authenticate with kerberos against an AD server?
regards
Hadmut
--
You received this message because you are subscribed to the Google Groups "Ruby LDAP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ruby-ldap+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "Ruby LDAP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ruby-ldap+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit https://groups.google.com/d/optout.