search

inejge / ldap3

A pure-Rust LDAP library using the Tokio stack
Apache License 2.0
226 stars 39 forks source link

Integrated kerberos authentication on windows clients #62

Closed 1Dragoon closed 3 years ago

1Dragoon commented 3 years ago

I can't tell from the documentation or examples, but does this library support integrated authentication on Windows clients? If so, are there any examples of how to authenticate that way?

inejge commented 3 years ago

does this library support integrated authentication on Windows clients?

It doesn't. Kerberos/GSSAPI support is a lot of work, especially if you'd like the result to be cross-platform. I didn't need it so far, so I haven't considered implementing it.

1Dragoon commented 3 years ago

Bummer, that's the one thing stopping me from using rust at work. I'm still very much a noob to rust so if it's a lot of work I probably have no hope of being able to implement it, but I might try anyways. Tiberius seems to handle integrated authentication for MSSQL, at least on the windows side and probably from the linux/gssapi side as well as it has that listed as a feature, so maybe I can learn from that.

inejge commented 3 years ago

I looked at Tiberius some time ago, and I think that it uses NTLMv2 auth on Windows. But yes, it would be a good starting point in general.

1Dragoon commented 3 years ago

I spent a few hours looking over the documentation for this, and now that I somewhat know what I'm looking for, I see somebody else has already tried to do this in PR #33, together with their own SSPI implementation in the form of the sspi-rs crate, though reading over the code I can only see a username and password authentication example in that branch.

All things considered, this is way over my head :) I'm learning rust for personal reasons, and I've just wanted to start using it at work so that I've got an excuse to spend even more time learning it as opposed to spending more time with the only other language I know, C#.

inejge commented 2 years ago

@1Dragoon heads up: there is experimental Kerberos/GSSAPI support on the master branch. Consider testing it if you're still wrangling AD.

1Dragoon commented 2 years ago

This is awesome! By the way, do you happen to know of a universal method of auto detecting the domain controller in linux without needing to be root?

inejge commented 2 years ago

do you happen to know of a universal method of auto detecting the domain controller in linux without needing to be root?

On the DNS level, a SRV query for _ldap._tcp.dc._msdcs in the client's domain is resolved. Your Kerberos library should do this automatically (the MIT library does). I don't think being root enters into it.