Cyrus NTLM plugin fails to authenticate in different domain

Dan White dwhite at olp.net
Thu May 22 13:47:23 EDT 2008


Rahman, Tanvir wrote:
> Both NTLM and GSS_SPNEGO libraries do not pass domain name field in NTLM
> Type 1 and 3 messages that client passes to it to be authenticated in a
> different domain. I notice that it is being consciously ignores by
> gssspnego.c and ntlm.c files. 
> 
> This causes my ldapsearch to fail when I pass my domain information
> either in realm field or concatenate it with username in username at domain
> format:
> 
> 1.  ldapsearch -h hostname -b basedn -Y GSS-SPNEGO -U
> username at domain-name -w password "(objectClass=*)"
> 
> 2.  ldapsearch -h hostname -b basedn -Y GSS-SPNEGO -R domain-name -U
> username -w password "(objectClass=*)"
> 
> Is there any patch available to provide this support? 
> 
> Is there a different way to authenticate a client that is not in the
> same domain as the domain controller?

Hi Tanvir,

Just our of curiosity, can you provide a link to the source of 
your GSS-SPNEGO SASL mechanism. I don't see it in my copy of the 
2.1.22 source.

Thanks,
- Dan


More information about the Cyrus-sasl mailing list