Add support for SSPI GSSAPI SASL mechanism bind (go-ldap#402)

* Add support for SSPI GSSAPI SASL mechanism bind

This change allows Windows clients to use current process' credentials
for bind authentication.

Co-authored-by: Filip Björck <filipbj@axis.com>

bind.go

@@ -558,3 +558,179 @@ func (l *Conn) NTLMChallengeBind(ntlmBindRequest *NTLMBindRequest) (*NTLMBindRes
 	err = GetLDAPError(packet)
 	return result, err
 }
+
+// GSSAPIClient interface is used as the client-side implementation for the
+// GSSAPI SASL mechanism.
+// Interface inspired by GSSAPIClient from golang.org/x/crypto/ssh
+type GSSAPIClient interface {
+	// InitSecContext initiates the establishment of a security context for
+	// GSS-API between the client and server.
+	// Initially the token parameter should be specified as nil.
+	// The routine may return a outputToken which should be transferred to
+	// the server, where the server will present it to AcceptSecContext.
+	// If no token need be sent, InitSecContext will indicate this by setting
+	// needContinue to false. To complete the context
+	// establishment, one or more reply tokens may be required from the server;
+	// if so, InitSecContext will return a needContinue which is true.
+	// In this case, InitSecContext should be called again when the
+	// reply token is received from the server, passing the reply token
+	// to InitSecContext via the token parameters.
+	// See RFC 4752 section 3.1.
+	InitSecContext(target string, token []byte) (outputToken []byte, needContinue bool, err error)
+	// NegotiateSaslAuth performs the last step of the Sasl handshake.
+	// It takes a token, which, when unwrapped, describes the servers supported
+	// security layers (first octet) and maximum receive buffer (remaining
+	// three octets).
+	// If the received token is unacceptable an error must be returned to abort
+	// the handshake.
+	// Outputs a signed token describing the client's selected security layer
+	// and receive buffer size and optionally an authorization identity.
+	// The returned token will be sent to the server and the handshake considered
+	// completed successfully and the server authenticated.
+	// See RFC 4752 section 3.1.
+	NegotiateSaslAuth(token []byte, authzid string) ([]byte, error)
+	// DeleteSecContext destroys any established secure context.
+	DeleteSecContext() error
+}
+
+// GSSAPIBindRequest represents a GSSAPI SASL mechanism bind request.
+// See rfc4752 and rfc4513 section 5.2.1.2.
+type GSSAPIBindRequest struct {
+	// Service Principal Name user for the service ticket. Eg. "ldap/<host>"
+	ServicePrincipalName string
+	// (Optional) Authorization entity
+	AuthZID string
+	// (Optional) Controls to send with the bind request
+	Controls []Control
+}
+
+// GSSAPIBind performs the GSSAPI SASL bind using the provided GSSAPI client.
+func (l *Conn) GSSAPIBind(client GSSAPIClient, servicePrincipal, authzid string) error {
+	return l.GSSAPIBindRequest(client, &GSSAPIBindRequest{
+		ServicePrincipalName: servicePrincipal,
+		AuthZID:              authzid,
+	})
+}
+
+// GSSAPIBindRequest performs the GSSAPI SASL bind using the provided GSSAPI client.
+func (l *Conn) GSSAPIBindRequest(client GSSAPIClient, req *GSSAPIBindRequest) error {
+	// nolint:errcheck
+	defer client.DeleteSecContext()
+
+	var err error
+	var reqToken []byte
+	var recvToken []byte
+	needInit := true
+	for {
+		if needInit {
+			// Establish secure context between client and server.
+			reqToken, needInit, err = client.InitSecContext(req.ServicePrincipalName, recvToken)
+			if err != nil {
+				return err
+			}
+		} else {
+			// Secure context is set up, perform the last step of SASL handshake.
+			reqToken, err = client.NegotiateSaslAuth(recvToken, req.AuthZID)
+			if err != nil {
+				return err
+			}
+		}
+		// Send Bind request containing the current token and extract the
+		// token sent by server.
+		recvToken, err = l.saslBindTokenExchange(req.Controls, reqToken)
+		if err != nil {
+			return err
+		}
+
+		if !needInit && len(recvToken) == 0 {
+			break
+		}
+	}
+
+	return nil
+}
+
+func (l *Conn) saslBindTokenExchange(reqControls []Control, reqToken []byte) ([]byte, error) {
+
+	// Construct LDAP Bind request with GSSAPI SASL mechanism.
+	envelope := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "LDAP Request")
+	envelope.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, l.nextMessageID(), "MessageID"))
+
+	request := ber.Encode(ber.ClassApplication, ber.TypeConstructed, ApplicationBindRequest, nil, "Bind Request")
+	request.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, 3, "Version"))
+	request.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, "", "User Name"))
+
+	auth := ber.Encode(ber.ClassContext, ber.TypeConstructed, 3, "", "authentication")
+	auth.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, "GSSAPI", "SASL Mech"))
+	if len(reqToken) > 0 {
+		auth.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, string(reqToken), "Credentials"))
+	}
+	request.AppendChild(auth)
+	envelope.AppendChild(request)
+	if len(reqControls) > 0 {
+		envelope.AppendChild(encodeControls(reqControls))
+	}
+
+	msgCtx, err := l.sendMessage(envelope)
+	if err != nil {
+		return nil, err
+	}
+	defer l.finishMessage(msgCtx)
+
+	packet, err := l.readPacket(msgCtx)
+	if err != nil {
+		return nil, err
+	}
+	l.Debug.Printf("%d: got response %p", msgCtx.id, packet)
+	if l.Debug {
+		if err = addLDAPDescriptions(packet); err != nil {
+			return nil, err
+		}
+		ber.PrintPacket(packet)
+	}
+
+	// https://www.rfc-editor.org/rfc/rfc4511#section-4.1.1
+	// packet is an envelope
+	// child 0 is message id
+	// child 1 is protocolOp
+	if len(packet.Children) != 2 {
+		return nil, fmt.Errorf("bad bind response")
+	}
+
+	protocolOp := packet.Children[1]
+RESP:
+	switch protocolOp.Description {
+	case "Bind Response": // Bind Response
+		// Bind Reponse is an LDAP Response (https://www.rfc-editor.org/rfc/rfc4511#section-4.1.9)
+		// with an additional optional serverSaslCreds string (https://www.rfc-editor.org/rfc/rfc4511#section-4.2.2)
+		// child 0 is resultCode
+		resultCode := protocolOp.Children[0]
+		if resultCode.Tag != ber.TagEnumerated {
+			break RESP
+		}
+		switch resultCode.Value.(int64) {
+		case 14: // Sasl bind in progress
+			if len(protocolOp.Children) < 3 {
+				break RESP
+			}
+			referral := protocolOp.Children[3]
+			switch referral.Description {
+			case "Referral":
+				if referral.ClassType != ber.ClassContext || referral.Tag != ber.TagObjectDescriptor {
+					break RESP
+				}
+				return ioutil.ReadAll(referral.Data)
+			}
+			// Optional:
+			//if len(protocolOp.Children) == 4 {
+			//	serverSaslCreds := protocolOp.Children[4]
+			//}
+		case 0: // Success - Bind OK.
+			// SASL layer in effect (if any) (See https://www.rfc-editor.org/rfc/rfc4513#section-5.2.1.4)
+			// NOTE: SASL security layers are not supported currently.
+			return nil, nil
+		}
+	}
+
+	return nil, GetLDAPError(packet)
+}

examples_windows_test.go

@@ -0,0 +1,36 @@
+//go:build windows
+// +build windows
+
+package ldap
+
+import (
+	"log"
+
+	"github.com/go-ldap/ldap/gssapi"
+)
+
+// This example demonstrates passwordless bind using the current process' user
+// credentials on Windows (SASL GSSAPI mechanism bind with SSPI client).
+func ExampleConn_SSPIClient_GSSAPIBind() {
+
+	// Windows only: Create a GSSAPIClient using Windows built-in SSPI lib
+	// (secur32.dll).
+	// This will use the credentials of the current process' user.
+	sspiClient, err := gssapi.NewSSPIClient()
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer sspiClient.Close()
+
+	l, err := DialURL("ldap://ldap.example.com:389")
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer l.Close()
+
+	// Bind using supplied GSSAPIClient implementation
+	err = l.GSSAPIBind(sspiClient, "ldap/ldap.example.com", "")
+	if err != nil {
+		log.Fatal(err)
+	}
+}

go.mod

@@ -4,7 +4,8 @@ go 1.14
 
 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e
+	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74
 	github.com/go-asn1-ber/asn1-ber v1.5.4
-	github.com/stretchr/testify v1.7.2 // indirect
-	golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d // indirect
+	github.com/stretchr/testify v1.8.0
+	golang.org/x/crypto v0.1.0 // indirect
 )

go.sum

@@ -1,30 +1,50 @@
-github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c h1:/IBSNwUN8+eKzUzbJPqhK839ygXJ82sde8x3ogr6R28=
-github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
-github.com/Azure/go-ntlmssp v0.0.0-20211209120228-48547f28849e h1:ZU22z/2YRFLyf/P4ZwUYSdNCWsMEI0VeyrFoI2rAhJQ=
-github.com/Azure/go-ntlmssp v0.0.0-20211209120228-48547f28849e/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e h1:NeAW1fUYUEWhft7pkxDf6WoUvEZJ/uOKsvtpjLnn8MU=
 github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
-github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA=
+github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/go-asn1-ber/asn1-ber v1.5.4 h1:vXT6d/FNDiELJnLb6hGNa309LMsrCoYFvpwHDF0+Y1A=
 github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.7.2 h1:4jaiDzPyXQvSd7D0EjG45355tLlV3VOECpq10pLC+8s=
-github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
-golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29 h1:tkVvjkPTB7pnW3jnid7kNyAMPVWllTNOf/qKDze4p9o=
-golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d h1:sK3txAijHtOK88l68nt020reeT1ZdKLIYetKl95FzVY=
-golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU=
+golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=