Home / server / Questions / 845470
Accepted
philippe
Asked: 2017-04-21 01:46:37 +0800 CST

ldapsearch and kerberos authentication

  • 772

I can successfully connect and search to an Active Directory domain controller using ldapsearch. I am using the -x option, to specify a username/password authentication (password being specified by -W and username by -D).

I currently need to dump directory from a MIT-kerberos domain. Kerberos is the only protocol available for authentication. I can retrieve a kerberos TGT ticket with kinit. I am using these command lines:

ldapsearch  -Y SASL -b "REALM.INC" -H ldap://kerberos_IP_address
-> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
  additional info: SASL(-4): no mechanism available: No worthy mechs found

ldapsearch -o "mech=GSSAPI" ...
-> Invalid general option name: mech

How can I authenticate with kerberos using ldapsearch?

Many thanks for your help&replies

debian

3 Answers

  1. Best Answer

    You may be missing the libsasl2-modules-gssapi-mit package.

    Without:

    # ldapsearch -H ldap://dc1 -Y GSSAPI -b 'DC=ad-test,DC=vx'
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
    additional info: SASL(-4): no mechanism available: No worthy mechs found

    Install:

    # apt install libsasl2-modules-gssapi-mit

    With:

    # ldapsearch -H ldap://dc1 -Y GSSAPI -b 'DC=ad-test,DC=vx'
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 256
SASL data security layer installed.
...

    SASL is enabled by default, and will auto-detect a compatible mechanism, so specifying -Y GSSAPI isn't even necessary:

    # ldapsearch -H ldap://dc1 -b 'DC=ad-test,DC=vx'
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 256
SASL data security layer installed.
...
    • 7

  2. -Y is used to specify the SASL mechanism, which will probably be GSSAPI, though could be GSS-SPNEGO. Also, base dn must be in dn syntax (i.e., dc=example,dc=com), not domain syntax (example.com).

    $ ldapsearch -x -b '' -s base supportedSASLMechanisms -H ldap://192.0.2.1/
dn:
supportedSASLMechanisms: GSSAPI

$ ldapsearch -Y GSSAPI -b dc=example,dc=com -H ldap://192.0.2.1/

$ ldapsearch -x -b '' -s base supportedSASLMechanisms -H ldap://192.0.2.2/
dn:
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
    • 1

  3. depending on your ldapsearch & OS version, you can try to first authenticate to kerberos using kinit and "cache" your ticket, use it in a kerberos env variable, and then let ldapsearch use this variable, with something like this :

    kinit -c /tmp/<yourlogin>.cc.tmp <yourlogin>
export KRB5CCNAME=/tmp/<yourlogin>.cc.tmp
ldapsearch -Tx -h <host> -p <port> -Y GSSAPI -b "dc=example,dc=com" cn=*
    • 1