7

I can successfully connect and search to an Active Directory domain controller using ldapsearch. I am using the -x option, to specify a username/password authentication (password being specified by -W and username by -D).

I currently need to dump directory from a MIT-kerberos domain. Kerberos is the only protocol available for authentication. I can retrieve a kerberos TGT ticket with kinit. I am using these command lines:

ldapsearch  -Y SASL -b "REALM.INC" -H ldap://kerberos_IP_address
-> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
  additional info: SASL(-4): no mechanism available: No worthy mechs found

ldapsearch -o "mech=GSSAPI" ...
-> Invalid general option name: mech

How can I authenticate with kerberos using ldapsearch?

Many thanks for your help&replies

philippe
  • 2,131
  • 4
  • 30
  • 53
  • What happened when you do ldapsearch -H ldap://kerberos_IP_address -U administrator -s base -b "CN=Users,DC=domain,DC=com" -Y GSSAPI -s sub "(cn=*)" ? Does klist show valid tickets in cache ? – Abey Apr 20 '17 at 16:21

3 Answers3

7

You may be missing the libsasl2-modules-gssapi-mit package.

Without:

# ldapsearch -H ldap://dc1 -Y GSSAPI -b 'DC=ad-test,DC=vx'
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
    additional info: SASL(-4): no mechanism available: No worthy mechs found

Install:

# apt install libsasl2-modules-gssapi-mit

With:

# ldapsearch -H ldap://dc1 -Y GSSAPI -b 'DC=ad-test,DC=vx'
SASL/GSSAPI authentication started
SASL username: Administrator@AD-TEST.VX
SASL SSF: 256
SASL data security layer installed.
...

SASL is enabled by default, and will auto-detect a compatible mechanism, so specifying -Y GSSAPI isn't even necessary:

# ldapsearch -H ldap://dc1 -b 'DC=ad-test,DC=vx'
SASL/GSSAPI authentication started
SASL username: Administrator@AD-TEST.VX
SASL SSF: 256
SASL data security layer installed.
...
Jonathon Reinhart
  • 446
  • 1
  • 8
  • 25
1

-Y is used to specify the SASL mechanism, which will probably be GSSAPI, though could be GSS-SPNEGO. Also, base dn must be in dn syntax (i.e., dc=example,dc=com), not domain syntax (example.com).

$ ldapsearch -x -b '' -s base supportedSASLMechanisms -H ldap://192.0.2.1/
dn:
supportedSASLMechanisms: GSSAPI

$ ldapsearch -Y GSSAPI -b dc=example,dc=com -H ldap://192.0.2.1/

$ ldapsearch -x -b '' -s base supportedSASLMechanisms -H ldap://192.0.2.2/
dn:
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
Jonathon Reinhart
  • 446
  • 1
  • 8
  • 25
84104
  • 12,698
  • 6
  • 43
  • 75
1

depending on your ldapsearch & OS version, you can try to first authenticate to kerberos using kinit and "cache" your ticket, use it in a kerberos env variable, and then let ldapsearch use this variable, with something like this :

kinit -c /tmp/<yourlogin>.cc.tmp <yourlogin>
export KRB5CCNAME=/tmp/<yourlogin>.cc.tmp
ldapsearch -Tx -h <host> -p <port> -Y GSSAPI -b "dc=example,dc=com" cn=*
olivierg
  • 494
  • 1
  • 6
  • 24
  • `-T` means something different to debian / OpenLDAP than it does to Solaris. – 84104 Apr 20 '17 at 22:27
  • my commands run perfectly on a Linux RHEL 6.x, didn't try on debian tho, but it should work anyway assuming that the variable is set and the -Y is passed i suppose, thanks for the info btw – olivierg Apr 20 '17 at 22:35