Databases
StackOverflow2013
Postsdbo
POImplementing mutual authentication with LDAP API and SSPI
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POImplementing mutual authentication with LDAP API and SSPI
    text
    copied!<p>I would like to ask you a question about implementing mutual authentication with Kerberos, using SSPI and LDAP API.</p> <p>I am using the guidelines described in: <a href="https://stackoverflow.com/questions/3144910/ldap-sasl-bind-sgssapi-what-should-be-provided-in-the-credentials-berval-stru">ldap_sasl_bind_s(GSSAPI) - What should be provided in the credentials BERVAL structure</a>.</p> <p>Here is the algorithm I am using: </p> <pre><code> //-------------------------------------------------------------------------------------------- // client side AcquireCredentialsHandle(NULL, "Kerberos", SECPKG_CRED_BOTH, NULL, &secIdent, NULL, NULL, &kClientCredential, &kClientTimeOut); // AcquireCredentialsHandle returns SEC_E_OK // begin validation unsigned long ulClientFlags = ISC_REQ_CONNECTION | ISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE; int iCliStatus = InitializeSecurityContext(&kClientCredential, isContextNull(kClientContext) ? NULL : &kClientContext, pacTargetName, ulClientFlags, 0, SECURITY_NATIVE_DREP, pkServerToken, 0, &kClientContext, &kClientToken, &ulContextAttr, NULL); // InitializeSecurityContext returns SEC_I_CONTINUE_NEEDED //-------------------------------------------------------------------------------------------- // server side // ldap_init returns ok ldap_set_option(ld, LDAP_OPT_SIGN, LDAP_OPT_OFF); ldap_set_option(ld, LDAP_OPT_ENCRYPT, LDAP_OPT_OFF); unsigned long ulVersion = LDAP_VERSION3; ldap_set_option(ld, LDAP_OPT_VERSION, &ulVersion); // ldap_connect returns LDAP_SUCCESS // build the credentials based on what InitializeSecurityContext returned BERVAL creds; creds.bv_len = kClientToken.pBuffers[0].cbBuffer; creds.bv_val = reinterpret_cast(kClientToken.pBuffers[0].pvBuffer); BERVAL* pServerCreds = NULL; int iError = ldap_sasl_bind_s(ld, "", "GSSAPI", &creds, NULL, NULL, &pServerCreds); // ldap_sasl_bind_s returns LDAP_SUCCESS unsigned long ulError = 0; ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ulError); // ulError is equal to LDAP_SASL_BIND_IN_PROGRESS </code></pre> <p>And here is the problem: both LDAP error codes are ok, but pServerCreds points to an empty BERVAL structure (not NULL, but bv_len equals to 0), and it should contain the server credential I have to pass to the next InitializeSecurityContext call. If I use that data to build the SecBufferDesc structure for the following call, it returns SEC_E_INVALID_TOKEN.</p> <p>Is ldap_sasl_bind_s supposed to return an empty BERVAL or am I doing something wrong?</p> <p>I have tested the authentication using full SSPI calls (AcceptSecurityContext for the server) and it works just as expected. The problem is that I need the server to be cross-platform, so I cannot use SSPI.</p> <p>Thanks for taking the time to answer! Juan</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload