search

einfallstoll / express-ntlm

An express middleware to have basic NTLM-authentication in node.js.
BSD 2-Clause "Simplified" License
89 stars 26 forks source link

GSSAPI-Support for OpenLDAP #13

Open Oleg-Mishenkin opened 8 years ago

Oleg-Mishenkin commented 8 years ago

When connecting to OpenLDAP server there is an error in response that GSS-SPNEGO not supported on OpenLDAP server side. Can I change authentication mode to GSSAPI for example?

einfallstoll commented 8 years ago

SPNEGO ("Simple and Protected GSSAPI Negotiation Mechanism") is a mechanism to negotiate the choice of security method. It's useful if two ends want to communicate to each other but don't know what mechanism the other end "speaks".

From How LDAP Authentication works with Active Directory and the UWWI:

The GSS-SPNEGO authentication mechanism (RFC4178) is actually the GSSAPI authentication mechanism but with a client-server negotiation mechanism that provides for selection of the preferred security mechanism that both client and server support. In this case, the server will prefer Kerberos then NTLMv2 then NTLM (UWWI does not support LM). For that reason, refer to the GSSAPI authentication mechanism for further details.

Oleg-Mishenkin commented 8 years ago

What will happen when LDAP server does not support neither GSS-SPNEGO nor GSSAPI by default as in my case? An negotiation error will occur. I see ASN1.makeoctstr('GSS-SPNEGO') in your source code at NTLM_AD_Proxy.js . May it be better for ability to customize authentication method? Thank you!

einfallstoll commented 8 years ago

I agree that GSSAPI makes sense to support. Although it will probably need some serious changes to the code. Keep in mind, that I officially only support Active Directory so far.

I marked this as an enhancement, so I can add GSSAPI-support in a future release.

einfallstoll commented 8 years ago

Are there any other mechanisms apart from GSS-SPNEGO and GSSAPI to support?