Comments (23)
Is there already some Rust crate that provide this API?
from tiberius.
There's rust-sasl but I'm unsure how complete it is. Materialize seems to have GSSAPI support via rust-sasl, but it kind of seems like the actual GSSAPI usage is done in C/C++ in librdkafka through rust-rdkafka instead of in pure rust?
from tiberius.
libgssapi looks promising...
from tiberius.
You want to try it out if it works?
from tiberius.
Happy to assist if you need help :)
from tiberius.
I would be really interested in having this working on unix as well. I will have to use odbc because our dba won't allow any other authentication type.
from tiberius.
I tried it out and it DOES work! As it turns out the NTLM-based SSPI mechanism is just a Microsoft implementation of SPNEGO, so I was able to reuse almost all the SSPI stuff. Cleaning up the code for a PR.
from tiberius.
PR: #77
from tiberius.
from tiberius.
from tiberius.
Is there a way to test this in our CI? I'm still on vacation with no proper computer until 23.8. so I cannot really test or review this properly.
I took a look at the Appveyor docs, and alas I don't see a way to enable Active Directory & Kerberos integration
What kind of setup one needs to try this out?
The simplest setup I know of is to set up an Active Directory domain, add the SQL Server to it, and register a SPN for the server. How do you test the NTLM auth features today? With the exception of the SPN registration, the same setup should work, I'd think.
Unfortunately Kerberos/GSSAPI are old and arcane technologies. There's a reason everyone has moved to OAuth when they can.
As a first step, maybe one of the commenters on this thread can try with my fork and see if it works in their environments, in order to flush out any environment differences? @edmellum ? @tafia ?
from tiberius.
from tiberius.
from tiberius.
We just test ln that Windows computer with the current user. So this crate doesn't work on Windows? We still need separate code for that?
Technically it can work on Windows, but Windows code tends to use the Windows API for this (as you did in the WindowsIntegrated variant), so there might be build annoyances trying to link in the gssapi libraries on Windows, since most systems wouldn't install both.
Another point here is that I created a new enum variant for my implementation, but the process itself is nearly identical to the WindowsIntegrated variant -- we could merge the two and use cfg variants for the two different dependencies, which would avoid needing to use different client code per-platform.
from tiberius.
from tiberius.
I'll see what we can do with it when I get back to Berlin. If you want this to be merged earlier,
I am in no rush; I think making sure this works in a few environments is probably worth waiting a bit for, since if there is an issue it might be tricky to troubleshoot. Setting KRB5_TRACE=/dev/stderr
helps tremendously.
Meantime I'll try to document in the main module and push that up for further review.
from tiberius.
Hi @pimeys I'm happy to do a review, I can take a look through it tomorrow but from a brief look it looks good, thanks @dwink! :)
My only thought here is it might be nice to have this as an cargo feature such that the dependency can be avoided if not needed (I recognize that the Windows integrated auth is currently non-optional on Windows, but potentially it could also be made optional in the future)
In terms of testing one thought I've had is we could potentially use the FreeIPA demo realm but I don't have much experience in that area.
from tiberius.
Yeah, this is really cool if we could make stuff like Kerberos authentication on Rust easy and modernish!
from tiberius.
This is now implemented in 0.4.9.
from tiberius.
Has anyone tested this on MacOS? I'm having some issues when following the docs
from tiberius.
I think we have no macOS devs working on Tiberius... Would be useful to have one to test and fix issues with the OS.
from tiberius.
I can't promise I'll start actively working on Tiberius, but I'm going to try it out a bit on a Mac and write up any issues I find 😄
Are the Tiberius tests running on MacOS? I think Github Actions have free minutes on MacOS, would a pull request setting that up be of interest?
from tiberius.
from tiberius.
Related Issues (20)
- Repo Status HOT 9
- Error on Bulk Inserting Large Varchar/NVarchar Columns
- Failing to connect wit TLS HOT 2
- how to parse intn ?
- Error: UTF-16 error
- SQL_Latin1_General_CP850_CI_AS HOT 2
- invalid peer certificate: UnsupportedCertVersion
- need update `tokio_rustls` from `0.24.x` to `0.25.x` ,and `rustls-pemfile` to `0.2`
- How to close these logs
- Connection Failure with MSSQL: Special Character Password HOT 3
- why tinyint convert to u8
- Examples With Read Only Routing
- `Config::trust_cert_ca` should take Into<PathBuf> instead of ToString
- Add Support for MultiSubnetFailover when using a High Availability Group HOT 6
- Program hangs when trying to connect using Kerberos/Integrated GSSAPI auth HOT 1
- [Question] Is there a way to set the `HostNameInCertificate` property?
- Panic in libgssapi (unsafe precondition(s) violated) when using Integrated Security
- check SQLSERVER 2000: invalid token type 0
- Dynamic Ports in Docker?
- Send ReadOnlyIntent when ApplicationIntent=ReadOnly
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tiberius.