LDAP SASL, or Simple Authentication and Security Layer for LDAP, is a framework providing a unified way to authenticate clients to LDAP servers using various security mechanisms, such as Kerberos, GSSAPI, or PLAIN.
GSSAPI, or the Generic Security Services API, is a standardized framework that provides a way for applications to access security services, like authentication, in a mechanism-independent manner.
Installing ldp.exe
Simple Bind
As Current User With NTLM
From ldp.exe on local machine with NTML:
Using credentials with Kerboros
From a remote machine with Kerboros:
request:
response:
Connecting with IP address
Using Python
python -m pip install --upgrade pip
python -m pip install impacket
from impacket.ldap import ldap, ldapasn1
ldap_connection = ldap.LDAPConnection('ldap://other.local', 'DC=other,DC=local', '10.15.7.16')
ldap_connection.login('vasyasecond', 'iwoob4Tooyie', 'other.local', '', '', authenticationChoice="sasl")
ldap_connection.kerberosLogin('vasyasecond', 'iwoob4Tooyie', 'other.local', '', '')
Traceback (most recent call last):
File "<python-input-14>", line 1, in <module>
ldap_connection.kerberosLogin('vasyasecond', 'iwoob4Tooyie', 'other.local', '', '')
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\dev\tools\Python313\Lib\site-packages\impacket\ldap\ldap.py", line 248, in kerberosLogin
raise LDAPSessionError(
...<2 lines>...
)
impacket.ldap.ldap.LDAPSessionError: Error in bindRequest -> invalidCredentials: 8009030C: LdapErr: DSID-0C090585, comment: AcceptSecurityContext error, data 52e, v4f7c
