LDAP authentication

erick · 2015-10-08 13:57:13

Hi,

Sometimes you want active director domain authentication but you cannot register the service with active directory because that can be a political nightmare on some corporate ADs. Or you want to test on a device which cannot be registered in the domain, such as on a VPN where I'm currently writing my code.

For the last few hours I've been trying to put my LDAP testing code into the framework. I'm getting closer, but am a bit intimidated by working 46,000 lines into the mormot.pas code.

I'm trying to patch in my ldap testing code:

const

  SEC_WINNT_AUTH_IDENTITY_ANSI    = $1;

type
  SEC_WINNT_AUTH_IDENTITY_A = packed record
    User: PAnsiChar;
    UserLength: Longint;
    Domain: PAnsiChar;
    DomainLength: Longint;
    Password: PAnsiChar;
    PasswordLength: Longint;
    Flags: Longint;
  end;


function rad_ldap_test( domain : ansistring; server : string; user, pass : ansistring ) : boolean;
var
  h : PLDAP;
  x : ULONG;
  auth : SEC_WINNT_AUTH_IDENTITY_A;

begin
  //Initialization session with Directory Server
  // shoud use ldap_open
  ZeroMemory( @auth, sizeof(auth));
  auth.user := pansichar( user );
  auth.userlength := Length( user );
  auth.Domain := pansichar( domain );
  auth.DomainLength := Length( domain );
  auth.password := pansichar( pass );
  auth.passwordlength := Length( pass );
  auth.flags := SEC_WINNT_AUTH_IDENTITY_ANSI;

  h := ldap_initw(pchar(server), 389);
  if h = Nil then begin
    result := False;
  end else begin

    //Binding with Server
    x := ldap_Connect(h, nil);
    x := ldap_bind_sA(h,Nil,@auth,  LDAP_AUTH_NTLM );
    ldap_unbind( h );

    result := x = 0;
  end;

end;

Does anyone else want to run with it, or you can wait on me.

ab · 2015-10-08 14:02:54

So you expect to transmit the used/password credentials as plain text between the client and the server?

erick · 2015-10-08 14:58:36

You'd have to use SSL or a reversable encryption.

Chaa · 2015-10-09 06:04:44

erick wrote:

Sometimes you want active directory domain authentication but you cannot register the service with active directory because that can be a political nightmare on some corporate ADs.

You can use NTLM in that case. It's works fine.

erick wrote:

Or you want to test on a device which cannot be registered in the domain, such as on a VPN where I'm currently writing my code.

And in this case you can use NTLM. Just pass username and clear text password in SetUser (username must contain '\' in order to framework choose NTLM).

It is much less secure than Kerberos, but for development purpose it's good enough.

erick · 2015-10-09 15:48:13

Hmmm, I haven't been able to get it to work.

I have nexus\erick2 in my SQLAuthUser database, and when I call client.SetUser( 'nexus\erick2','asdf' )
I see it detects the name as valid because it calls function TSQLRestServerAuthenticationSSPI.Auth

Then it calls function TSQLRestServerAuthenticationSSPI.Auth() twice. The first time there is no error, but
the second time it raises OS error 87 bad parameters in the function call ServerSSPIAuth()
in the call to AcceptSecurityContext(). I'm sure the userid/password is right, I've tried it a dozen times

I had called aServer := TSQLRestServerDB.Create(aModel, ':memory:', True);
because I think we are wanting to authenticate users though not passwords from the DB.

FWIW, the socket is on a 127.0.0.1 address.

erick · 2015-10-09 20:07:18

Okay, I corrected the setuser to SetUser('','') as I'm trying to do NTLM from the local machine as client to the same machine as a server

But still I get the same error:

20151009 19524106 + TSQLHttpClientWinHTTP(045CF040).Auth
20151009 19524106 + TSQLHttpClientWinHTTP(045CF040).00E58FA8
20151009 19524106 + TSQLRestServerDB(046276B0).URI(GET root/Auth?UserName=&data=oXcwdaADCgEBoloEWE5UTE1TU1AAAwAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAADXCiOIGAbEdAAAAD54u1Ko%2BHDTGDudSwe93qyajEgQQAQAAAA0iwNz5yxUyAAAAAA%3D%3D inlen=0)
20151009 19524106 call TSQLRestServerDB(046276B0) Auth
20151009 19524640 EXC EOSError ("System Error. Code: 87.\r\nThe parameter is incorrect") at 0044A7F6 stack trace API 00BE0641 00BE0675 77209F7F 772088A2 7723D948 000007FEFD25B3DD 00412656 0041268C 0044A7F6 0044A753 00BD745A 00CC4886 00C96E37 00C89F77 00C895B8 00C92C8D 00EAE14F 00E3EEC4 00E4669C 0052FB53 0041320B 770E5A4D 7721B831
20151009 19524646 debug TSQLRestServerDB(046276B0) TSQLRestRoutingREST.Error: { "errorCode":500, "error": {"EOSError":{"EOSError":"System Error. Code: 87.\r\nThe parameter is incorrect"}} }
20151009 19524646 srvr TSQLRestServerDB(046276B0) GET root/Auth SOA-Method -> 500 with outlen=116 in 5649099 us
20151009 19524646 - 05.649.132
20151009 19524646 clnt TSQLHttpClientWinHTTP(045CF040) GET root/Auth?UserName=&data=oXcwdaADCgEBoloEWE5UTE1TU1AAAwAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAADXCiOIGAbEdAAAAD54u1Ko%2BHDTGDudSwe93qyajEgQQAQAAAA0iwNz5yxUyAAAAAA%3D%3D status=500 state=7
20151009 19524646 - 05.650.276
20151009 19524646 ERROR TSQLHttpClientWinHTTP(045CF040) GET root/Auth?UserName=&data=oXcwdaADCgEBoloEWE5UTE1TU1AAAwAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAADXCiOIGAbEdAAAAD54u1Ko%2BHDTGDudSwe93qyajEgQQAQAAAA0iwNz5yxUyAAAAAA%3D%3D returned 500 Internal Server Error with message { "errorCode":500, "error": {"EOSError":{"EOSError":"System Error. Code: 87.\r\nThe parameter is incorrect"}} } stack trace API 00BE30E2 00C72EA8 00C7F69C 00C7EA31 00CC53F2 00CC200C 00C7EC70 00E5E19E 007C48AF 008D4AD1 007C51C6 00B2484B 00A6579E 76FE9BD1 76FE3BFC 76FE3B78 000007FEFBB36205 000007FEFBB36990 000007FEFBB36758 000007FEFBB36990 000007FEFBB36867 76FE9BD1 76FE98DA 00A5F624 00B1AB11 00A5F338 00B1D577 00EE3D2E 770E5A4D 7721B831
20151009 19524646 ret { "errorCode":500, "error": {"EOSError":{"EOSError":"System Error. Code: 87.\r\nThe parameter is incorrect"}} }
20151009 19524646 - 05.650.371
20

Chaa · 2015-10-12 05:49:51

I created ticket about that:

http://synopse.info/fossil/tktview?name=3a7a3f9928

ab · 2015-10-12 07:15:32

Should be fixed by http://synopse.info/fossil/info/cc41670824
Thanks for the report and investigation!

Chaa · 2015-10-12 09:46:29

erick wrote:

I have nexus\erick2 in my SQLAuthUser database, and when I call client.SetUser( 'nexus\erick2','asdf' )

Also, you need the changes described in the ticket:
http://synopse.info/fossil/tktview?name=2992adbeee

ab · 2015-10-12 10:18:32

Please check http://synopse.info/fossil/info/066b836bb81e

mORMot Open Source

#1 2015-10-08 13:57:13

LDAP authentication

#2 2015-10-08 14:02:54

Re: LDAP authentication

#3 2015-10-08 14:58:36

Re: LDAP authentication

#4 2015-10-09 06:04:44

Re: LDAP authentication

#5 2015-10-09 15:48:13

Re: LDAP authentication

#6 2015-10-09 20:07:18

Re: LDAP authentication

#7 2015-10-12 05:49:51

Re: LDAP authentication

#8 2015-10-12 07:15:32

Re: LDAP authentication

#9 2015-10-12 09:46:29

Re: LDAP authentication

#10 2015-10-12 10:18:32

Re: LDAP authentication

Board footer