Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using gokrb5 with go-ldap #247

Closed
lukeo3o1 opened this issue Jan 18, 2019 · 8 comments
Closed

Using gokrb5 with go-ldap #247

lukeo3o1 opened this issue Jan 18, 2019 · 8 comments
Labels
investigation required

Comments

@lukeo3o1
Copy link

There is currently no implementation of Kerberos GSSAPI authentication on go-ldap.
Is it possible to use gokrb5 implementation or any ideas?
@jcmturner
Copy link
Owner

My understanding is that go-ldap is an LDAP client. Can you explain what your use case is here?

@jcmturner jcmturner changed the title go-dalp Using gokrb5 with go-ldap Jan 18, 2019
@lukeo3o1
Copy link
Author

lukeo3o1 commented Jan 19, 2019
edited
Loading

I use go-ldap to browse active directory
But in go-ldap you can only use Simple Build with TLS/SSL, StartTLS for authentication.
In my case, can't use simple build and TLS/SSL, StartTLS authentication, only GSS-API, DIGEST-MD5 can do it.
But currently go-ldap does not support GSSAPI (go-ldap issues #115)
So I think maybe can do this with gokrb

I used gokrb to get the ticket for the LDAP service, but I don't know how to add the ticket to the LDAP Build Request.

Reference:
LDAPv3 Wire Protocol Reference: The LDAP Bind Operation
LDAP-RFC 4551
ldapsearch: ldap_sasl_interactive_bind_s

Thank you for your reply.

@uynap
Copy link

uynap commented Feb 27, 2019

I had exactly the same situation as lukeo3o1, but in Kafka. The gokrb5 is a great library explaining a lot in communicating with Kerberos. But what after we got the TGS? How to add the ticket to "the client" which requires the Kerberos?
I know it's out of the scope to this library, but without knowing it, the library is pointless in practical. I saw the efforts you spent on SPNEGO. But for one thing, the SPNEGO is really not a hot spot for Kerberos, for another, SPNEGO is a simple HTTP based client. It's different from binary TCP communication.

@TobiasKarnat
Copy link

I need this as well for enterprise use: I wrote a program to synchronize ldap-group members with local linux group users.
As sssd with krb5 is already used, I would not need a technical user to authorize with the active directory server, but could you the computer account to authorize?!

@keith6014
Copy link

i too would like this. I would like to authenticate with gokrb5 and then authorize with go-ldap. Is it possible?

@jcmturner
Copy link
Owner

I have not done it in practice but in theory you should be able to pass an http.Handler that does the authorization using go-ldap as the inner handler to spnego.SPNEGOKRB5Authenticate.

You can get the authenticated user details from the request context as shown in the example and then do the LDAP call to get further details about the user.

If you are using Active Directory as your KDC there are additional details available already without having to do the LDAP call.

@fenngineering
Copy link

Do we have any movement on this, this is exactly what I need, I'm 100% sure what needs to be done here, but basically I need the ability to query LDAP using the authenticated key tab. Any ideas?

@lukeo3o1
Copy link
Author

Reslove go-ldap/ldap#449

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
investigation required
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@TobiasKarnat @uynap @jcmturner @lukeo3o1 @keith6014 @fenngineering