System.DirectoryServices.Protocols - Linux - kerberos(keytab)

[birojnayak]

Hi Guys,
We are planning to use System.DirectoryServices.Protocols to get claims info in CoreWCF.(CoreWCF/CoreWCF#265). I was doing a simple test to see if it supports keytab, couldn't make it work ?

Below query works in my Linux (I have Keytab and my KRB5_KTNAME is set to proper location)

ldapsearch -Tx -h myownad.example.com-p 3268 -Y GSSAPI "dc=example,dc=com" cn=fakeuser

But below snippet throws me below error,

An operation error occurred.   at System.DirectoryServices.Protocols.LdapConnection.EndSendRequest(IAsyncResult asyncResult)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---

            String domain = "example.com";
            var distinguishedName = domain.Split('.').Select(name => $"dc={name}").Aggregate((a, b) => $"{a},{b}");

            var filter = $"(&(objectClass=user)(sAMAccountName=fakeuser))"; 
            var searchRequest = new SearchRequest(distinguishedName, filter, SearchScope.Subtree, null);
            LdapDirectoryIdentifier ldi = new LdapDirectoryIdentifier("myownad.example.com", 389);
            System.DirectoryServices.Protocols.LdapConnection connection =
                new System.DirectoryServices.Protocols.LdapConnection(ldi, null, AuthType.Negotiate);
            var searchResponse = (SearchResponse)await Task<DirectoryResponse>.Factory.FromAsync(
                connection.BeginSendRequest,
                connection.EndSendRequest,
                searchRequest,
                PartialResultProcessing.NoPartialResultSupport,
                null);

            if (searchResponse.Entries.Count > 0)
            {
                var userFound = searchResponse.Entries[0]; 
                var memberof = userFound.Attributes["memberof"]; 
            }

So just checking if kerberos(keytab) is supported in Linux or I am doing something incorrect in my code ?

[stcpottdav]

@birojnayak From looking at the source code, you will need to use AuthType.Kerberos as otherwise it just uses as simple bind and not a sasl bind.

[birojnayak]

@birojnayak From looking at the source code, you will need to use AuthType.Kerberos as otherwise it just uses as simple bind and not a sasl bind.

@stcpottdav I have tried that too, didn't work... have you tried, let me know.. if it works in your case

[stcpottdav]

In my case I haven't been able to get the ldapsearch utility working and have asked from help from another team.

One general thing -> the search base must be an organizational unit. It doesn't support searching at the root of the domain as per #44826.

The Error code gives some information for the actual error which can be found here:
https://github.com/delphij/openldap/blob/master/include/ldap.h

[danmoseley]

Can you try with latest 6.0 bits? That should translate the error code and also potentially provide more details. It might be in 6.0 preview 2.

[stcpottdav]

I have it working on buster, focal and alpine containers. Alpine was tricky as it also needed the KRB5CCNAME set.

[birojnayak]

I have it working on buster, focal and alpine containers. Alpine was tricky as it also needed the KRB5CCNAME set.

If you don't mind.. could you please share code snippet ?

[stcpottdav]

` public AppPermission GetPermissions(string username)
{

        var id = new LdapDirectoryIdentifier(config.Servers, true, false);
        using var connect = (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) ? 
            new LdapConnection(id, CredentialCache.DefaultNetworkCredentials, AuthType.Negotiate) :
            new LdapConnection(id, null , AuthType.Kerberos);
        connect.SessionOptions.ProtocolVersion = 3;
        connect.Bind();
 

        var isInGroup = IsInGroup(connect, config.AdminGroupDistinguishedName, username);




        return user;

    }
	
	private bool IsInGroup(LdapConnection connect,  string groupDN, string username)
    {
        var filter = string.Format(config.MemberSearchFilter, groupDN, username);
        var request = new SearchRequest(config.SearchBase, filter, SearchScope.Subtree, config.Attributes);
        var result = connect.SendRequest(request) as SearchResponse;
        return  result.Entries.Count > 0;
    }
	
	`

"Ldap": { "Domain": "mydomain.ca", "Servers": [ "mydc1.mydomain.ca", "mydc2.mydomain.ca" ], "Attributes": [ "SamAccountName" ], "SearchBase": "DC=mydomain,DC=ca", "MemberSearchFilter": "(&(memberOf:1.2.840.113556.1.4.1941:={0})(objectCategory=person)(objectClass=user)(sAMAccountName={1}))", "GroupDistinguishedName": "[redacted]" }

[birojnayak]

thank you guys.. it worked in my linux... the hint "One general thing -> the search base must be an organizational unit. It doesn't support searching at the root of the domain as per #44826 " was on the spot.. bdw why is that restriction?

[stcpottdav]

The end of #44826 has the workaround to the searching at domain level issue. If you add the environment variable LDAPREFERRALS=off to your container/OS it will work at the domain level. Hopefully this all gets fixed with v6 so there aren't workarounds necessary anymore.

[joperezr]

Correct me if I'm wrong, but seems like the main problem here was that the library didn't support searching on the root of the domain, and looks like that was fixed by turning off ldapreferrals, which @iinuwa has merged in 6.0 on PR #54380. That means that you shouldn't need to set the variable in your container any longer and should be able to search on the root of the domain again. Given this understanding, I'll go ahead and close this issue as resolved for now, but if I misunderstood anything please let me know and we can reopen this.