inejge
commented
5 years ago BindResponse is fully defined as:
BindResponse ::= [APPLICATION 1] SEQUENCE {
COMPONENTS OF LDAPResult,
serverSaslCreds [7] OCTET STRING OPTIONAL } For a challenge-response flow, you need the serverSaslCreds string, and for that, you'd have to parse the Bind response differently, which could be shoehorned into Ldap::simple_bind(), but is perhaps better suited for a separate function. It could be implemented similarly to Extended operations: see impl From<Tag> for LdapResultExt in src/protocol.rs and Ldap::extended() in src/extended.rs.
awakecoding
I am currently trying to add support for the GSS-SPNEGO bind type, which would be very useful to connect to Active Directory. I have sample wireshark captures of NTLM and Kerberos traffic, and I also have a working NTLM implementation that I can integrate.
However, I am facing a blocker: even if I can send the first GSS-SPNEGO bind request and get a proper response from the server (saslBindInProgress with the NTLM "Challenge" message in the response payload), I struggle to find a way to extract the NTLM message from the bind response.
The current code only has support for single request/response bind types, none of the implemented bind types are multilegged (meaning they require more than one request/response to complete). As far as I can see, bind success is currently only based on the LdapResult response code being zero.
I figured out how to interpret the result code differently such that code 14 (saslBindInProgress) is not considered an error, but I cannot figure out how to properly modify the LdapResponse type and parsing code to allow me to fetch something other than a vector of controls. A bind response isn't a search result, so it's not a vector of controls :/
Any guidance or hints on this problem?