[Date Prev][Date Next] [Chronological] [Thread] [Top]

Windows SSPI, NTLMSSP and OpenLDAP with SASL/GSSAPI

To: openldap-technical@openldap.org
Subject: Windows SSPI, NTLMSSP and OpenLDAP with SASL/GSSAPI
From: Diego Morales <morales@propus.com.br>
Date: Sun, 12 Aug 2012 19:37:30 -0400

Hello,

I have a proprietary windows application trying to bind on my OpenLDAP
server using GSSAPI with NTLMSSP mechanism, instead of Kerberos. Is it
possible to support this on a (unix) OpenLDAP server?

Another option would be to make the software use GSSAPI + Kerberos
instead. Let me further explain:

I have a working samba + openldap setup with many windows
workstations. The said proprietary app has LDAP auth support, and
according to its maker it works with Active Directory and Novell NDS.
It does not support simple bind, nor LDAPS, (and probably not StartTLS
either). We don't have access to the app's source code and help from
its developers/tech-support is pretty unavailable.

Checking slapd's debug, we saw the app trying to use SASL+GSSAPI to
bind. So we went on and configured a minimal Kerberos setup and
SASL+GSSAPI support for OpenLDAP on a test ldap server. It seems to be
working perfectly. We acquire a ticket and run ldapsearch from another
machine using -Y GSSAPI bind and it works. Logs from slapd debug seem
ok.

But that evil app still fails. Here's a piece from slapd debug log:

conn=1000 op=1 do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x7f73f6af8810 ptr=0x7f73f6af8813 end=0x7f73f6af8856 len=67
  0000:  60 84 00 00 00 3d 02 01  03 04 00 a3 84 00 00 00   `....=..........
  0010:  32 04 06 47 53 53 41 50  49 04 28 4e 54 4c 4d 53   2..GSSAPI.(NTLMS
  0020:  53 50 00 01 00 00 00 97  82 08 e2 00 00 00 00 00   SP..............
  0030:  00 00 00 00 00 00 00 00  00 00 00 06 01 b1 1d 00   ................
  0040:  00 00 0f                                           ...
ber_scanf fmt ({m) ber:
ber_dump: buf=0x7f73f6af8810 ptr=0x7f73f6af881e end=0x7f73f6af8856 len=56
  0000:  00 84 00 00 00 32 04 06  47 53 53 41 50 49 04 28   .....2..GSSAPI.(
  0010:  4e 54 4c 4d 53 53 50 00  01 00 00 00 97 82 08 e2   NTLMSSP.........
  0020:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
  0030:  06 01 b1 1d 00 00 00 0f                            ........
ber_scanf fmt (m) ber:
ber_dump: buf=0x7f73f6af8810 ptr=0x7f73f6af882c end=0x7f73f6af8856 len=42
  0000:  00 28 4e 54 4c 4d 53 53  50 00 01 00 00 00 97 82   .(NTLMSSP.......
  0010:  08 e2 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
  0020:  00 00 06 01 b1 1d 00 00  00 0f                     ..........
ber_scanf fmt (}}) ber:
ber_dump: buf=0x7f73f6af8810 ptr=0x7f73f6af8856 end=0x7f73f6af8856 len=0

>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
conn=1000 op=1 BIND dn="" method=163
do_bind: dn () SASL mech GSSAPI
==> sasl_bind: dn="" mech=GSSAPI datalen=40
SASL [conn=1000] Failure: GSSAPI Error: An unsupported mechanism was
requested (Unknown error)
send_ldap_result: conn=1000 op=1 p=3
send_ldap_result: err=49 matched="" text="SASL(-13): authentication
failure: GSSAPI Failure: gss_accept_sec_context"
send_ldap_response: msgid=11 tag=97 err=49
ber_flush2: 87 bytes to sd 13
  0000:  30 55 02 01 0b 61 50 0a  01 31 04 00 04 49 53 41   0U...aP..1...ISA
  0010:  53 4c 28 2d 31 33 29 3a  20 61 75 74 68 65 6e 74   SL(-13): authent
  0020:  69 63 61 74 69 6f 6e 20  66 61 69 6c 75 72 65 3a   ication failure:
  0030:  20 47 53 53 41 50 49 20  46 61 69 6c 75 72 65 3a    GSSAPI Failure:
  0040:  20 67 73 73 5f 61 63 63  65 70 74 5f 73 65 63 5f    gss_accept_sec_
  0050:  63 6f 6e 74 65 78 74                               context
ldap_write: want=87, written=87
  0000:  30 55 02 01 0b 61 50 0a  01 31 04 00 04 49 53 41   0U...aP..1...ISA
  0010:  53 4c 28 2d 31 33 29 3a  20 61 75 74 68 65 6e 74   SL(-13): authent
  0020:  69 63 61 74 69 6f 6e 20  66 61 69 6c 75 72 65 3a   ication failure:
  0030:  20 47 53 53 41 50 49 20  46 61 69 6c 75 72 65 3a    GSSAPI Failure:
  0040:  20 67 73 73 5f 61 63 63  65 70 74 5f 73 65 63 5f    gss_accept_sec_
  0050:  63 6f 6e 74 65 78 74                               context
conn=1000 op=1 RESULT tag=97 err=49 text=SASL(-13): authentication
failure: GSSAPI Failure: gss_accept_sec_context

(btw, this is slapd 2.4.21, from a 10.04 ubuntu package)

I believe the application uses Windows SSPI, and I known SSPI supports
several GSSAPI mechanisms, including NTLMSSP and Kerberos. I'm afraid
Windows is auto selecting NTLMSSP cause its running on a pre-windows
2000 domain (non AD, in this case, Samba). Hoping to make windows use
Kerberos instead, I've also tried publishing some SRV records on DNS.
I have sniffed DNS queries from the workstation while the app tries to
login, caught only one _ldap._tcp SRV request, registered that ... and
nothing has changed.

I don't know how could I force the app to use GSSAPI + kerberos
without touching its source code. And I can't find  much about a unix
NTLM(SSP)-as-a-mechanism-of-GSSAPI implementation. Maybe there's
something inside samba4 or in Likewise software, but I haven't found
it yet.

So ... does somebody have any advice or info?

Thanks in advance,


Diego Morales
+55 (51) 3024-3568
Propus Informática LTDA.
http://www.propus.com.br

Follow-Ups:
- Re: Windows SSPI, NTLMSSP and OpenLDAP with SASL/GSSAPI
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: got into a "checksum error" situation
Next by Date: Re: Windows SSPI, NTLMSSP and OpenLDAP with SASL/GSSAPI
Index(es):
- Chronological
- Thread