LDAP authentication using IIS Application pool identity

[D3llon]

Hello, as mentioned in the title, I have a Windows Server using IIS to host Laravel application. I have an Active Directory account set as identity for the Application pool under which the Laravel app is running and successfully managed to use this AD account to access database, which is hosted on different Windows Server on the same domain using Windows Authentication, which allows me to leave the DB_USERNAME and DB_PASSWORD empty, but also to access mail service without having MAIL_USERNAME and MAIL_PASSWORD filled, too. My target is to achieve LDAP connection in the same fashion too. 
Does anyone have any idea how to get this done? What should be done on the IIS side and what on the project side?

[stevebauman]

Hi @D3llon!

To my knowledge, the only options you have are anonymous authentication, or SASL (Simple Authentication and Security Layer) with the GSSAPI (Generic Security Services Application Program Interface) mechanism for Kerberos authentication.

Anonymous authentication allows you to set your LDAP_USERNAME and LDAP_PASSWORD to null, but to my knowledge, I believe this is a global setting in Active Directory (i.e., it cannot be enabled specifically for your web server), so it's a possible security risk since it allows any computer in your network that is domain joined to read a limited set of objects and attributes from your directory. I have written about configuring this in LdapRecord here.

SASL with the GSSAPI mechanism allows you to connect to your LDAP server using a "keytab" file with Kerberos. However, SASL binding to LDAP servers was added in LdapRecord v3, and LdapRecord-Laravel v3 has not been released yet to utilize this new version (it will be released this week). If you'd like to test it now, you can do so by requiring the dev version in composer ("directorytree/ldaprecord-laravel": "v3.x-dev"). This was requested in this issue here. Also, Kerberos authentication must be installed as a separate PHP extension. Unfortunately I have no experience in setting this up, so I can't assist you in the implementation. ChatGPT provided an example here, but I'd treat this as pseudo-code. Here's what it provided:

ChatGPT link: https://chat.openai.com/share/a75734fb-d070-4ab2-8141-36350e1b27e9

Raw Example:

// Create a new Kerberos context.
$context = new KRB5CCache();

// Principal and keytab file path.
$principal = '[email protected]'; // Replace with your principal.
$keytab_path = '/path/to/keytab'; // Replace with the path to your keytab file.

// Initialize the context with the keytab.
$context->initKeytab($principal, $keytab_path);

// Obtain a ticket for the LDAP service.
$context->obtainTGT();

// Get the name of the credential cache file.
$ccache_name = $context->getName();

// Now you can use the credential cache file to authenticate to the LDAP server.
// You might need to set the KRB5CCNAME environment variable to the ccache name.
putenv("KRB5CCNAME=$ccache_name");

// Now you can connect to the LDAP server.
$ldap = ldap_connect('ldap://local.com');
if (!$ldap) {
    die('Could not connect to LDAP server.');
}

// Bind to the LDAP server.
// The bind DN and password are both NULL to use Kerberos authentication.
$result = ldap_sasl_bind($ldap, NULL, NULL, 'GSSAPI');
if (!$result) {
    die('Could not bind to LDAP server.');
}

// Now you're authenticated to the LDAP server and can perform operations on it.

Using LdapRecord v3:

use LdapRecord\Connection;

// Create a new Kerberos context.
$context = new KRB5CCache();

// Principal and keytab file path.
$principal = '[email protected]'; // Replace with your principal.
$keytab_path = '/path/to/keytab'; // Replace with the path to your keytab file.

// Initialize the context with the keytab.
$context->initKeytab($principal, $keytab_path);

// Obtain a ticket for the LDAP service.
$context->obtainTGT();

// Get the name of the credential cache file.
$ccache_name = $context->getName();

// Now you can use the credential cache file to authenticate to the LDAP server.
// You might need to set the KRB5CCNAME environment variable to the ccache name.
putenv("KRB5CCNAME=$ccache_name");

$connection = new Connection([
    'base_dn' => 'dc=local,dc=com',
    'hosts' => ['local.com'],
    'username' => null,
    'password' => null,
    'use_sasl' => true,
]);

// Connection and bind to the LDAP server using Kerberos authentication.
$connection->connect();

// Now you're authenticated to the LDAP server and can perform operations on it.
$results = $connection->query()->where('...')->get();

Using LdapRecord-Laravel v3-Dev:

# .env

LDAP_LOGGING=true
LDAP_CONNECTION=default
LDAP_HOST=127.0.0.1
LDAP_USERNAME=
LDAP_PASSWORD=
LDAP_PORT=389
LDAP_BASE_DN="dc=local,dc=com"
LDAP_TIMEOUT=5
LDAP_SSL=false
LDAP_TLS=false
LDAP_SASL=true

Then, you may perform LDAP operations using Kerberos authentication:

use LdapRecord\Models\User;

$users = User::get();

---

To reiterate, the above examples are pseudo-code and success may vary, as I don't have much knowledge or experience with SASL and Kerberos. Nevertheless, I hope this helps you!