<div dir="ltr"><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Nov 12, 2013 at 8:37 AM, Dan White <span dir="ltr"><<a href="mailto:dwhite@olp.net" target="_blank">dwhite@olp.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class="im">On 11/11/13 16:59 -0800, Henry wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
I am trying to write a custom application that uses cyrus-sasl to<br>
authenticate on behalf of its users with Active Directory via the ldapdb<br>
auxprop plugin. I am running in to problems with proxy authentication.<br>
<br>
Reading the ldapdb source code, I see the following line in ldapdb_connect:<br>
<br>
cp->c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;<br>
<br>
shortly before ldap_sasl_interactive_bind which fails with error 49<br>
(invalid credentials).<br>
<br>
It seems that Active Directory (up to 2008, at least) doesn't support this<br>
oid. Is it therefore impossible to use the ldapdb auxprop plugin to<br>
authenticate against Active Directory? If so, are there alternative<br>
mechanisms I could use instead?<br>
</blockquote>
<br></div>
Other than proxy authentication, you will also need to retrieve the<br>
cleartext password from AD, which is not possible as far as I know (the<br>
userPassword attribute is not retrievable).<br>
<br>
Other options that come to mind:<br>
<br>
Use saslauthd, with its ldap backend<br>
Use saslauthd, with it's pam backend, using an ldap pam module<br>
gienger ldap auxprop plugin (external patch). I'm unsure if this works with<br>
AD.<div class=""><div class="h5"><br></div></div></blockquote><div><br></div><div>Thanks for the quick reply. Unfortunately saslauthd is not practical for our environment, otherwise that's clearly a preferred route. I also can't assume GSSAPI, although I'll be sure to allow that if it's available.</div>
<div><br></div><div>I think I'm going to have to write my own auxprop plugin that does the following (which is hopefully possible in some form):<br></div><div><br></div><div>1. Binds as a standard service user.</div><div>
2. Retrieves the DN for the user to be authenticated.</div><div>3. Binds as that user using the retrieved DN and user-supplied password.</div><div><br></div><div>Thanks for the pointers to the gienger auxprop plugin. At the very least that will work as a starting point for the plugin I may have to write.</div>
<div><br></div><div>Henry</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class=""><div class="h5">
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
My app's sasl conf file follows:<br>
<br>
log_level: 65535<br>
pwcheck_method: auxprop<br>
auxprop_plugin: ldapdb<br>
mech_list: PLAIN<br>
ldapdb_uri: ldap://**********<br>
ldapdb_id: dn:CN=****,CN=users,DC=****-<u></u>ad,DC=local<br>
ldapdb_pw: ****<br>
ldapdb_mech: DIGEST-MD5<br>
ldapdb_starttls: try<br>
</blockquote>
<br></div></div><span class=""><font color="#888888">
-- <br>
Dan White<br>
</font></span></blockquote></div><br></div></div>