GSS SASL provides a mechanism for secure network authentication between Lightweight Directory Access Protocol (LDAP) clients and servers. Using GSS SASL, users can assert their directory identities securely based on an external security mechanism. Typically, this mechanism is Kerberos V. Kerberos provides for ticket-based authentication and single sign-on and is a common choice for distributed networks. However, GSS SASL will in theory support any GSS mechanism supported by the underlying operating system, such as the SPNEGO security mechanism negotiation pseudo-mechanism.
New in this version (build 22 and above)
A new plugin, pam-plugin, which supports simple authentication against Pluggable Authentication Module (PAMs)
Support for authenticating userid and anonymous authorization identities (per RFC 2829). A user can authenticate to the directory without knowing their distinguished name, either using their userid or their authentication identity (Kerberos name). The client library will use a dummy distinguished name when binding to the server in order to workaround a bug in Netscape’s directory server; however, the plugin will always extract the true authorization identity from the SASL negotiation.
Authorization identity form
u:userid example u:lukeh
User ID userid: the directory is searched for an entry where the authorization identity attribute (default: uid) is equal to userid. The authorization is completed by verifying the authentication identity attribute (default: krbName) against the principal name extracted from the client ticket.
dn:distinguishedName example dn:cn=Luke Howard,o=PADL
The directory entry distinguishedName is read. Authorization is completed by verifying the authentication identity attribute (default: krbName) against the principal name extracted from the client ticket.
The client is admitted with anonymous authorization.
The directory is searched for an entry where the authentication identity attribute (default: krbName) is equal to the client’s authentication identity, extracted from their ticket. The client is admitted with the distinguished name of that entry, if it exists.
Miscellaneous bugfixes and code cleanups
Support for the iPlanet Directory Server 5.0 new plugin API. Support for the old API is still there; select which API you want in Make.config. Note that we use the native API, not the 4.x compatibility API, which should result in improved authorization performance (which involves reading the directory).
Streamlined build system: you should only need to edit the file Make.config in the top-level directory. By default the GSS-API library implementation is auto-detected. You may tune the following Makefile variables:
Better support for integrity and privacy in the client library, using the Netscape 4.1 client library. We no longer require the Mozilla LDAP C SDK to be present, and the GSS-API context for sessions with integrity or privacy is no longer global (hence, multiple interleaved sessions can be used). Although our server side plugin does not support integrity/privacy (due to design limitations in iPlanet’s Directory Server) this is useful when communicating with LDAP servers that do, such as Windows 2000 Active Directory.
Auto-discovery of GSS-API mechanisms and their corresponding SASL mechanisms (per draft-ietf-cat-sasl-gssapi-05.txt). For example, GSS-SPNEGO will be added to the list of supported SASL mechanisms if the GSS-API library supports it. We do not provide a GSS-API library at this time. This feature is of limited usefulness at this time, as there are few GSS-SPNEGO implementations.
Configurable attributes for mapping authentication identities and userid authorization identities. These are done by runtime arguments:
Index (DS 4.x)
Configuration key (DS 5.x)
Keytab file with key for LDAP server. This only works with the Heimdal and DCE GSS-API libraries that support configurable "acceptor identities".
The attribute to use for authorizing clients’ authentication identities (for Kerberos, these identities correspond to their principal names). The default for this attribute is "krbName". To skip this argument but still specify another argument, you may specify a hyphen (‘- ’) as the value for this.
The attribute to use for mapping the user form of the authorization identity to an LDAP entry. The default for this attribute is "uid". This is only necessary if clients authenticate using authorization identities of the form "u:userid" (see above). When a user binds with such an authorization identity, each naming context is searched to for (%s=%s) where %s1 is this attribute and %s2 is userid.
The path to the Padlock license file. This is only relevant on PADL binary licensed versions of this plugin.
Raw RFC 2829 authorization identities can be passed to the ldap_gss_bind() function, which is used in client applications instead of ldap_simple_bind_s(). (Note that ldap_gss_bind() is synchronous by definition, as the GSS-API context negotiation may consist of several challenges and responses.)
GSSSASL_INTEGRITY_PROTECTION for integrity protection
GSSSASL_PRIVACY_PROTECTION for privacy protection
one of "GSSAPI" or "GSS-SPNEGO"
Alternatively, clients may use the ldap_gssapi_bind() or (if your GSS-API library supports it) ldap_gss_bind() function. Please see include/gssldap.h for documentation of this API. A sample program is included in test/gsstest.c.
The software consists of a pre-operation SASL bind plug-in for the directory server (libgsssasl-plugin.so), and a shared library (libgssldap.so) which extends the Netscape LDAP client library to support GSS-API SASL authentication. Binary licensees will need to select the correct version of the plugin from the ds4 or ds5 directory, depending on whether they are using iPlanet Directory Server 4.x or 5.x.
This module requires a GSS-API library, such as that shipped with MIT Kerberos, DCE, or Heimdal.
To configure for DS 4.x, add the following to slapd.conf:
Four arguments are accepted, see conf/dse-gsssasl.ldif for more information.
To configure for DS 5.x, copy conf/dse-gsssasl.ldif into your server's root DSE entry (located in slapd-<instance>/config). We suggest you install the plugin in the directory /usr/iplanet/servers/lib.
You must ensure that your keytab file (or the equivalent for your GSS-API implementation's underlying security service) contains a principal for ldap@host, where host is the fully qualified domain name of the LDAP server, and that the keytab is readable by the userid under which ns-slapd runs.
The binary release of this software requires a valid license key in /usr/iplanet/servers/lib/padlock.ldif. Make sure you copy the license file exactly as provided by PADL into this file. License keys are available from firstname.lastname@example.org.
Source licensees can deploy the software on as many client and server machines as they wish as long as the machines are within their organisation. Please contact PADL if you have questions regarding the permitted scope of deployment.