GSSAPI authentication?

Question

GSSAPI authentication?

troelsarvin opened this issue 2 years ago · 7 comments

I cannot make pg-ldap-sync connect to ldap via Kerberos. The error I get is this:

[me@me ~]$ ~/bin/pg_ldap_sync --config /var/tmp/sample-config2.yaml 
/home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap/auth_adapter.rb:15:in `[]': Unsupported auth method (gssapi) (Net::LDAP::AuthMethodUnsupportedError)
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap/connection.rb:278:in `block in bind'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap/instrumentation.rb:19:in `instrument'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap/connection.rb:276:in `bind'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap.rb:1309:in `use_connection'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap.rb:783:in `block in search'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap/instrumentation.rb:19:in `instrument'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap.rb:782:in `search'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap.rb:1215:in `search_root_dse'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap.rb:1281:in `paged_searches_supported?'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap.rb:775:in `search'
	from /home/me/.local/share/gem/ruby/gems/pg-ldap-sync-0.4.0/lib/pg_ldap_sync/application.rb:58:in `search_ldap_users'
	from /home/me/.local/share/gem/ruby/gems/pg-ldap-sync-0.4.0/lib/pg_ldap_sync/application.rb:366:in `start!'
	from /home/me/.local/share/gem/ruby/gems/pg-ldap-sync-0.4.0/lib/pg_ldap_sync/application.rb:416:in `run'
	from /home/me/.local/share/gem/ruby/gems/pg-ldap-sync-0.4.0/exe/pg_ldap_sync:6:in `<top (required)>'
	from /home/me/bin/pg_ldap_sync:25:in `load'
	from /home/me/bin/pg_ldap_sync:25:in `<main>'

I've tried installing the net-ldap-auth_adapter-gssapi gem , but that does not help.

Here's the "ldap_connection" part of my config:

ldap_connection:
  host: my.adserver.local
  port: 389
  auth:
    method: :gssapi

Am I doing something wrong, or can GSSAPI/Kerberos not be used with pg-ldap-sync?

Answer 1 · 2023-02-03T18:59:46.000Z

I added GSSAPI support, but you can use it already with pg-ldap-sync-0.4.0 when you call pg_ldap_sync like so:

gem inst net-ldap-auth_adapter-gssapi
ruby -r net/ldap/auth_adapter/gssapi -S pg_ldap_sync <options>

Answer 2 · 2023-02-04T09:24:34.000Z

Unfortnately, it still does not work for me:

[me@me tmp]$ gem install net-ldap-auth_adapter-gssapi
Fetching net-ldap-auth_adapter-gssapi-0.2.0.gem
Successfully installed net-ldap-auth_adapter-gssapi-0.2.0
Parsing documentation for net-ldap-auth_adapter-gssapi-0.2.0
Installing ri documentation for net-ldap-auth_adapter-gssapi-0.2.0
Done installing documentation for net-ldap-auth_adapter-gssapi after 0 seconds
1 gem installed
[me@me tmp]$ ruby -r net/ldap/auth_adapter/gss_spnego -S ~/bin/pg_ldap_sync --config /var/tmp/pg-ldap-sync-cfg1.yaml --test
/home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap/auth_adapter.rb:15:in `[]': Unsupported auth method (gssapi) (Net::LDAP::AuthMethodUnsupportedError)
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap/connection.rb:278:in `block in bind'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap/instrumentation.rb:19:in `instrument'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap/connection.rb:276:in `bind'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap.rb:1309:in `use_connection'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap.rb:783:in `block in search'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap/instrumentation.rb:19:in `instrument'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap.rb:782:in `search'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap.rb:1215:in `search_root_dse'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap.rb:1281:in `paged_searches_supported?'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap.rb:775:in `search'
	from /home/me/.local/share/gem/ruby/gems/pg-ldap-sync-0.4.0/lib/pg_ldap_sync/application.rb:58:in `search_ldap_users'
	from /home/me/.local/share/gem/ruby/gems/pg-ldap-sync-0.4.0/lib/pg_ldap_sync/application.rb:366:in `start!'
	from /home/me/.local/share/gem/ruby/gems/pg-ldap-sync-0.4.0/lib/pg_ldap_sync/application.rb:416:in `run'
	from /home/me/.local/share/gem/ruby/gems/pg-ldap-sync-0.4.0/exe/pg_ldap_sync:6:in `<top (required)>'
	from /home/me/bin/pg_ldap_sync:25:in `load'
	from /home/me/bin/pg_ldap_sync:25:in `<main>'

Answer 3 · 2023-02-04T09:31:25.000Z

Oh sorry, I required the wrong file. Now I updated the command above.

Answer 4 · 2023-02-04T11:26:02.000Z

Thanks, now the error message has changed:

[me@me tmp]$ ruby -r net/ldap/auth_adapter/gssapi -S ~/bin/pg_ldap_sync --config /var/tmp/pg-ldap-sync-cfg1.yaml --test
/home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap/auth_adapter/sasl.rb:48:in `block in bind': no bind result (Net::LDAP::NoBindResultError)
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap/auth_adapter/sasl.rb:38:in `loop'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap/auth_adapter/sasl.rb:38:in `bind'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-auth_adapter-gssapi-0.2.0/lib/net/ldap/auth_adapter/gssapi.rb:48:in `bind'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap/connection.rb:279:in `block in bind'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap/instrumentation.rb:19:in `instrument'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap/connection.rb:276:in `bind'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap.rb:1309:in `use_connection'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap.rb:783:in `block in search'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap/instrumentation.rb:19:in `instrument'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap.rb:782:in `search'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap.rb:1215:in `search_root_dse'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap.rb:1281:in `paged_searches_supported?'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap.rb:775:in `search'
	from /home/me/.local/share/gem/ruby/gems/pg-ldap-sync-0.4.0/lib/pg_ldap_sync/application.rb:58:in `search_ldap_users'
	from /home/me/.local/share/gem/ruby/gems/pg-ldap-sync-0.4.0/lib/pg_ldap_sync/application.rb:366:in `start!'
	from /home/me/.local/share/gem/ruby/gems/pg-ldap-sync-0.4.0/lib/pg_ldap_sync/application.rb:416:in `run'
	from /home/me/.local/share/gem/ruby/gems/pg-ldap-sync-0.4.0/exe/pg_ldap_sync:6:in `<top (required)>'
	from /home/me/bin/pg_ldap_sync:25:in `load'
	from /home/me/bin/pg_ldap_sync:25:in `<main>'

My configuration files starts like this:

ldap_connection:
  host: dc.mydomain
  port: 389
  auth:
    method: :gssapi
    dc.mydomain

I've chosen that, because ldapsearch works well for me with an /etc/openldap/ldap.conf that has a line like this:

URI ldap://dc.mydomain

Answer 5 · 2023-02-04T11:44:05.000Z

The last config line should start with hostname: like so:

ldap_connection:
  host: dc.mydomain
  port: 389
  auth:
    method: :gssapi
    hostname: dc.mydomain

Make sure your klist output shows a krbtgt like so:

$ klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_2087191931
Standard-Principal: larskanis@COMPANY.DE

Valid starting       Expires              Service principal
04.02.2023 12:37:33  04.02.2023 22:37:33  krbtgt/COMPANY.DE@COMPANY.DE
	erneuern bis 05.02.2023 12:37:27
04.02.2023 12:37:37  04.02.2023 22:37:33  ldap/mydc6.company.de@COMPANY.DE
	erneuern bis 05.02.2023 12:37:27

Then GSSAPI should work.

Answer 6 · 2023-02-04T13:27:45.000Z

Sorry, there was an errror in my prevous comment; the "dc.mydomain" line is really "hostname: dc.mydomain" in my setup. And I do have the two valid tickets like in your example. Still, I get the error message which I pasted :-(

Answer 7 · 2023-02-04T17:02:59.000Z

For me it looks like the server doesn't support Kerberos. What type of server is it?

You can do debugging by inserting some outputs like so to the file /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap/auth_adapter/sasl.rb :

diff --git a/lib/net/ldap/auth_adapter/sasl.rb b/lib/net/ldap/auth_adapter/sasl.rb
index 4489bda..85df107 100644
--- a/lib/net/ldap/auth_adapter/sasl.rb
+++ b/lib/net/ldap/auth_adapter/sasl.rb
@@ -40,9 +40,11 @@ module Net
             request = [
               Net::LDAP::Connection::LdapVersion.to_ber, "".to_ber, sasl
             ].to_ber_appsequence(Net::LDAP::PDU::BindRequest)
+p req: request
 
             @connection.send(:write, request, nil, message_id)
             pdu = @connection.queued_read(message_id)
+p res: pdu
 
             if !pdu || pdu.app_tag != Net::LDAP::PDU::BindResult
               raise Net::LDAP::NoBindResultError, "no bind result"

It should send an initial packet of approx 2 KBytes with the initial credentials and then some smaller packets forth and back until the authentication has passed.