[Support] Using Keytab files (SASL) for authentication

DirectoryTree / LdapRecord

A fully-featured LDAP framework.

https://ldaprecord.com

MIT License

509 stars 44 forks source link

[Support] Using Keytab files (SASL) for authentication #550

Closed ajibarra closed 1 year ago

ajibarra commented 1 year ago

Environment:

LDAP Server Type: ActiveDirectory / OpenLDAP / FreeIPA
PHP Version: 7.3 / 7.4 / 8.0 / 8.1 /8.2

At Passbolt we want to be able to use a Keytab file to authenticate against the LDAP server. So I have defined the following steps to achieve it:

Extend LdapRecord/Ldap
Overwrite bind to use ldap_sasl_bind
(May need to) Extend Guard class to pass correct parameters to connection->bind
In our getConnection() method we need to pass new Ldap object as second parameter to Connection object if authentication is set to use Keytab. Otherwise keep current behavior.

So my questions are:

Do you think I am missing something on this approach? or you see an easier way to achieve the same?
Do you find this feature useful? Is it something you would like us to contribute to the plugin?

Thank you!

stevebauman commented 1 year ago

Hi @ajibarra!

Do you think I am missing something on this approach? or you see an easier way to achieve the same?

Unfortunately, I'm not sure. I've never authenticated to an LDAP server using this mechanism before. In fact, I didn't even know it existed 😅

Do you find this feature useful? Is it something you would like us to contribute to the plugin?

I welcome all improvements to LdapRecord, as long as we can keep the API clean and easy to use. 🙏

Though due to my inexperience in this regard, you would have to do most of the heavy lifting here unfortunately.

Do you have any documentation you can link that I may read up on to see how this works? I have both an Active Directory and OpenLDAP server running locally on my machine that I can test with, if that helps.

ajibarra commented 1 year ago

hey @stevebauman,

We are still doing some research about it and setting up a local server to be able to test.

Here is the official openldap docs about SASL: https://www.openldap.org/doc/admin24/sasl.html

stevebauman commented 1 year ago

@ajibarra Ok sounds good! Thanks for the information 🙏

ajibarra commented 1 year ago

Hi @stevebauman ,

I am sorry for the delay on this but it has been hard to setup an AD with kerberos support properly and be able to connect.

I am curious because I see this on LdapInterface:


   /**
     * Binds to the current connection using the specified username and password.
     * If sasl is true, the current connection is bound using SASL.
     *
     * @see http://php.net/manual/en/function.ldap-bind.php
     *
     * @param string $username
     * @param string $password
     *
     * @return bool
     *
     * @throws LdapRecordException
     */
    public function bind($username, $password);```

So it looks you already had this in mind 😄.

I think the easier way would be to add it there. I will prepare a PR so you can take a look and let me know.

stevebauman commented 1 year ago

Closing as this should be possible now in LdapRecord v3 🙏 .