FreeDSx/LDAP

SASL Support

Closed this issue · 12 comments

ChadSikorra commented

Currently only a simple bind or anonymous bind are supported. However, at least some SASL authentication methods should be supported. SASL binds are described in RFC 4513 5.2:

https://tools.ietf.org/html/rfc4513#section-5.2

And SASL itself is defined in RFC 4422:

https://tools.ietf.org/html/rfc4422

A brief search showed only 1 library implementing various SASL mechanisms, but it does not appear to be actively developed or maintained. It would probably make sense to have a separate FreeDSx/SASL library, then suggest or require that here for SASL support.

To summarize, need to:

  • Move ASN.1 to it's own library.
    • Implement a DER encoder in the ASN.1 library.
  • Move the socket abstraction to it's own library.
    • Complete any socket improvements related to UDP (needed for certain SASL mechanisms).
  • Create a freedsx/sasl library
    • Add a DIGEST-MD5 SASL mechanism.
    • Add a CRAM-MD5 SASL mechanism.
    • Add an anonymous SASL mechanism.
    • Add a kerberos (v5) SASL mechanism.
  • Require / add support for the freedsx/sasl library in this library.
ChadSikorra commented

For reference, the GSS-API RFC for the negotiation / encoding (DER) / protocol for that SASL mechanism:

https://tools.ietf.org/html/rfc4178

That is the Kerberos SASL mechanism used for SSO in a Windows environment (ie. Use current user's context for requests). Unsure of all the specifics for how the required information (ie. kerberos tickets) can be obtained for this to work in the context of PHP. There seem to be Windows API for where this information can be retrieved, though that would require an extension of sorts (which there appear to be some krb5 extensions). Needs more investigation.

ChadSikorra commented

Some of the leg work needed for the above has been completed:

  • Moved ASN.1 to its own library
  • Implemented a DER encoder.

Need to start on the actual SASL implementations and how it interacts in this library.

ChadSikorra commented

Lots of moving parts in this one. Added a breakdown of tasks. The Kerberos SASL mechanism will require lots of additional effort, as I will need a separate freedsx/kerberos library implementing Kerberos v5 client functionality (do not want to rely on an extension). However, I can continue to add SASL and add Kerberos functionality at a later time.

ChadSikorra commented

I have started to pick this up again. Started work on a SASL library with auth / integrity / confidentiality support. Implementing MD5 first, then others. Have the auth functionality going working on integrity / confidentiality. Once I have a good base for adding in additional mechanisms and one fully implemented I plan to make it available.

  • 👍1
ChadSikorra commented

Refactoring the ClientProtocolHandler is needed for me to implement SASL properly. Mostly have that knocked out. Just tagging that issue (#5) here. Would be nice to separate that from this work.

azovsky commented

Hi @ChadSikorra ,
is SASL available already?
I just try to use it like in the doc https://github.com/FreeDSx/LDAP/blob/master/docs/Server/General-Usage.md#starttls-ssl-certificate-support but have an error:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

ChadSikorra commented

Hi @ChadSikorra ,
is SASL available already?
I just try to use it like in the doc https://github.com/FreeDSx/LDAP/blob/master/docs/Server/General-Usage.md#starttls-ssl-certificate-support but have an error:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Apologies for the delay in this feature. With the recent refactoring out of the way, I just need to find the time to finish up the start of support for SASL. I will make a best effort to get this done sooner rather than later. However, my leisure coding time has shifted lately due to a somewhat recent job change.

azovsky commented

Thank you, ChadSikorra! I hope you will be succeed!
In the meantime, it would be nice to indicate in the documentation that SASL "in development", so as not to mislead developers.

ChadSikorra commented

Thank you, ChadSikorra! I hope you will be succeed!
In the meantime, it would be nice to indicate in the documentation that SASL "in development", so as not to mislead developers.

Hello @azovsky. The spot in the doc you linked is regarding StartTLS, which this library fully supports. That is just encryption of the TCP stream LDAP operates over. SASL is just another authentication / security layer, but is completely independent of the StartTLS functionality.

azovsky commented

I see. Thank you!
I tried to use StartTLS as it is described in the doc, but unsuccessfully. Maybe my certificate was not very good...

ChadSikorra commented

SSL certificate validation on the client side is a little picky usually (need to specify the CA cert that signed the server cert in your LDAP client options). But I have used it myself (both from a client and server perspective with this library).

Anyway, making good progress on actual SASL support. I have the separate SASL library up (https://github.com/FreeDSx/SASL), and have CRAM-MD5 and DIGEST-MD5 implemented. Need to tweak a few things. Already have a working SASL bind implementation in the LdapClient Just a few more things left to do before I actually push that code into here.

ChadSikorra commented

SASL support is now complete. I did not implement support yet for GSSAPI. That will need to be done separately. In addition to SCRAM and other mechanisms.