ldapsearch and kerberos authentication

debian kerberos

I can successfully connect and search to an Active Directory domain controller using ldapsearch. I am using the -x option, to specify a username/password authentication (password being specified by -W and username by -D).

I currently need to dump directory from a MIT-kerberos domain. Kerberos is the only protocol available for authentication. I can retrieve a kerberos TGT ticket with kinit. I am using these command lines:

ldapsearch  -Y SASL -b "REALM.INC" -H ldap://kerberos_IP_address
-> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
  additional info: SASL(-4): no mechanism available: No worthy mechs found

ldapsearch -o "mech=GSSAPI" ...
-> Invalid general option name: mech

How can I authenticate with kerberos using ldapsearch?

Many thanks for your help&replies


You may be missing the libsasl2-modules-gssapi-mit package.

Without:

# ldapsearch -H ldap://dc1 -Y GSSAPI -b 'DC=ad-test,DC=vx'
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
    additional info: SASL(-4): no mechanism available: No worthy mechs found

Install:

# apt install libsasl2-modules-gssapi-mit

With:

# ldapsearch -H ldap://dc1 -Y GSSAPI -b 'DC=ad-test,DC=vx'
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 256
SASL data security layer installed.
...

SASL is enabled by default, and will auto-detect a compatible mechanism, so specifying -Y GSSAPI isn't even necessary:

# ldapsearch -H ldap://dc1 -b 'DC=ad-test,DC=vx'
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 256
SASL data security layer installed.
...

depending on your ldapsearch & OS version, you can try to first authenticate to kerberos using kinit and "cache" your ticket, use it in a kerberos env variable, and then let ldapsearch use this variable, with something like this :

kinit -c /tmp/<yourlogin>.cc.tmp <yourlogin>
export KRB5CCNAME=/tmp/<yourlogin>.cc.tmp
ldapsearch -Tx -h <host> -p <port> -Y GSSAPI -b "dc=example,dc=com" cn=*

-Y is used to specify the SASL mechanism, which will probably be GSSAPI, though could be GSS-SPNEGO. Also, base dn must be in dn syntax (i.e., dc=example,dc=com), not domain syntax (example.com).

$ ldapsearch -x -b '' -s base supportedSASLMechanisms -H ldap://192.0.2.1/
dn:
supportedSASLMechanisms: GSSAPI

$ ldapsearch -Y GSSAPI -b dc=example,dc=com -H ldap://192.0.2.1/

$ ldapsearch -x -b '' -s base supportedSASLMechanisms -H ldap://192.0.2.2/
dn:
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI

Related

How do I keep my Amazon Linux EC2 instance /var/log/messages from being filled with dhclient and ec2net messages?
Linux KVM Client filesystem (BTRFS?)
Restart docker container in privileged mode
How does VLAN subnetting work on IPv6?
Will upgrading the kernel of the proxy NGINX server be enough to prevent CVE-2017-6214 exploitation?
Get back hyper-v VMs after in place reinstall of host OS
systemctl --user: Process org.freedesktop.systemd1 exited with status 1
Are Dell PERC H200 H700 RAID cards supported by ".deb" based Linux distros?
Completely disable Date and Time sync in a Hyper-V VM
Server 2016 Running Hyper-V Stuck in "Shutting down service: Hyper-V Virtual Machine Management"
Remove --add-forward-port rule in firewall-cmd
~/.bashrc is NOT sourced on ssh 'command'