#1 2015-10-08 13:57:13

erick
Member
Registered: 2015-09-09
Posts: 155

LDAP authentication

Hi,

Sometimes you want active director domain authentication but you cannot register the service with active directory because that can be a political nightmare on some corporate ADs.  Or you want to test on a device which cannot be registered in the domain, such as on a VPN where I'm currently writing my code.

For the last few hours I've been trying to put my LDAP testing code into the framework.  I'm getting closer, but am a bit intimidated by working 46,000 lines into the mormot.pas code.

I'm trying to patch in my ldap testing code:

const

  SEC_WINNT_AUTH_IDENTITY_ANSI    = $1;

type
  SEC_WINNT_AUTH_IDENTITY_A = packed record
    User: PAnsiChar;
    UserLength: Longint;
    Domain: PAnsiChar;
    DomainLength: Longint;
    Password: PAnsiChar;
    PasswordLength: Longint;
    Flags: Longint;
  end;


function rad_ldap_test( domain : ansistring; server : string; user, pass : ansistring ) : boolean;
var
  h : PLDAP;
  x : ULONG;
  auth : SEC_WINNT_AUTH_IDENTITY_A;

begin
  //Initialization session with Directory Server
  // shoud use ldap_open
  ZeroMemory( @auth, sizeof(auth));
  auth.user := pansichar( user );
  auth.userlength := Length( user );
  auth.Domain := pansichar( domain );
  auth.DomainLength := Length( domain );
  auth.password := pansichar( pass );
  auth.passwordlength := Length( pass );
  auth.flags := SEC_WINNT_AUTH_IDENTITY_ANSI;

  h := ldap_initw(pchar(server), 389);
  if h = Nil then begin
    result := False;
  end else begin

    //Binding with Server
    x := ldap_Connect(h, nil);
    x := ldap_bind_sA(h,Nil,@auth,  LDAP_AUTH_NTLM );
    ldap_unbind( h );

    result := x = 0;
  end;

end;

Does anyone else want to run with it, or you can wait on me.

Offline

#2 2015-10-08 14:02:54

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,664
Website

Re: LDAP authentication

So you expect to transmit the used/password credentials as plain text between the client and the server?

Offline

#3 2015-10-08 14:58:36

erick
Member
Registered: 2015-09-09
Posts: 155

Re: LDAP authentication

You'd have to use SSL or a reversable encryption.

Offline

#4 2015-10-09 06:04:44

Chaa
Member
Registered: 2011-03-26
Posts: 249

Re: LDAP authentication

erick wrote:

Sometimes you want active directory domain authentication but you cannot register the service with active directory because that can be a political nightmare on some corporate ADs.

You can use NTLM in that case. It's works fine.

erick wrote:

Or you want to test on a device which cannot be registered in the domain, such as on a VPN where I'm currently writing my code.

And in this case you can use NTLM. Just pass username and clear text password in SetUser (username must contain '\' in order to framework choose NTLM).

It is much less secure than Kerberos, but for development purpose it's good enough.

Offline

#5 2015-10-09 15:48:13

erick
Member
Registered: 2015-09-09
Posts: 155

Re: LDAP authentication

Hmmm, I haven't been able to get it to work.

I have nexus\erick2 in my SQLAuthUser database, and when I call client.SetUser( 'nexus\erick2','asdf' )
I see it detects the name as valid because it calls function TSQLRestServerAuthenticationSSPI.Auth

Then it calls function TSQLRestServerAuthenticationSSPI.Auth() twice.  The first time there is no error, but
the second time it raises OS error 87 bad parameters in the function call ServerSSPIAuth()
in the call to AcceptSecurityContext().  I'm sure the userid/password is right, I've tried it a dozen times

I had called  aServer := TSQLRestServerDB.Create(aModel, ':memory:', True);
because I think we are wanting to authenticate users though not passwords from the DB.

FWIW, the socket is on a 127.0.0.1 address.

Offline

#6 2015-10-09 20:07:18

erick
Member
Registered: 2015-09-09
Posts: 155

Re: LDAP authentication

Okay, I corrected the setuser to SetUser('','') as I'm trying to do NTLM from the local machine as client to the same machine as a server

But still I get the same error:

20151009 19524106  +    TSQLHttpClientWinHTTP(045CF040).Auth
20151009 19524106  +        TSQLHttpClientWinHTTP(045CF040).00E58FA8
20151009 19524106  +    TSQLRestServerDB(046276B0).URI(GET root/Auth?UserName=&data=oXcwdaADCgEBoloEWE5UTE1TU1AAAwAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAADXCiOIGAbEdAAAAD54u1Ko%2BHDTGDudSwe93qyajEgQQAQAAAA0iwNz5yxUyAAAAAA%3D%3D inlen=0)
20151009 19524106 call      TSQLRestServerDB(046276B0) Auth
20151009 19524640 EXC       EOSError ("System Error.  Code: 87.\r\nThe parameter is incorrect") at 0044A7F6  stack trace API 00BE0641 00BE0675 77209F7F 772088A2 7723D948 000007FEFD25B3DD 00412656 0041268C 0044A7F6 0044A753 00BD745A 00CC4886 00C96E37 00C89F77 00C895B8 00C92C8D 00EAE14F 00E3EEC4 00E4669C 0052FB53 0041320B 770E5A4D 7721B831
20151009 19524646 debug     TSQLRestServerDB(046276B0) TSQLRestRoutingREST.Error: {  "errorCode":500,  "error":  {"EOSError":{"EOSError":"System Error.  Code: 87.\r\nThe parameter is incorrect"}}  }
20151009 19524646 srvr      TSQLRestServerDB(046276B0)   GET root/Auth SOA-Method -> 500 with outlen=116 in 5649099 us
20151009 19524646  -    05.649.132
20151009 19524646 clnt          TSQLHttpClientWinHTTP(045CF040) GET root/Auth?UserName=&data=oXcwdaADCgEBoloEWE5UTE1TU1AAAwAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAADXCiOIGAbEdAAAAD54u1Ko%2BHDTGDudSwe93qyajEgQQAQAAAA0iwNz5yxUyAAAAAA%3D%3D status=500 state=7
20151009 19524646  -        05.650.276
20151009 19524646 ERROR     TSQLHttpClientWinHTTP(045CF040) GET root/Auth?UserName=&data=oXcwdaADCgEBoloEWE5UTE1TU1AAAwAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAADXCiOIGAbEdAAAAD54u1Ko%2BHDTGDudSwe93qyajEgQQAQAAAA0iwNz5yxUyAAAAAA%3D%3D returned 500 Internal Server Error with message  {  "errorCode":500,  "error":  {"EOSError":{"EOSError":"System Error.  Code: 87.\r\nThe parameter is incorrect"}}  } stack trace API 00BE30E2 00C72EA8 00C7F69C 00C7EA31 00CC53F2 00CC200C 00C7EC70 00E5E19E 007C48AF 008D4AD1 007C51C6 00B2484B 00A6579E 76FE9BD1 76FE3BFC 76FE3B78 000007FEFBB36205 000007FEFBB36990 000007FEFBB36758 000007FEFBB36990 000007FEFBB36867 76FE9BD1 76FE98DA 00A5F624 00B1AB11 00A5F338 00B1D577 00EE3D2E 770E5A4D 7721B831
20151009 19524646 ret       {  "errorCode":500,  "error":  {"EOSError":{"EOSError":"System Error.  Code: 87.\r\nThe parameter is incorrect"}}  }
20151009 19524646  -    05.650.371
20

Offline

#7 2015-10-12 05:49:51

Chaa
Member
Registered: 2011-03-26
Posts: 249

Re: LDAP authentication

Offline

#8 2015-10-12 07:15:32

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,664
Website

Re: LDAP authentication

Should be fixed by http://synopse.info/fossil/info/cc41670824
Thanks for the report and investigation!

Offline

#9 2015-10-12 09:46:29

Chaa
Member
Registered: 2011-03-26
Posts: 249

Re: LDAP authentication

erick wrote:

I have nexus\erick2 in my SQLAuthUser database, and when I call client.SetUser( 'nexus\erick2','asdf' )

Also, you need the changes described in the ticket:
http://synopse.info/fossil/tktview?name=2992adbeee

Offline

#10 2015-10-12 10:18:32

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,664
Website

Re: LDAP authentication

Offline

Board footer

Powered by FluxBB