sasl auth against Active Directory

Dan White dwhite at olp.net
Wed Mar 31 11:10:07 EDT 2010


On 31/03/10 11:08 +0200, Geoff wrote:
> Le 31/03/2010 10:34, Howard Chu a écrit :
>> Geoff wrote:
>>> [...]
>>> I'm wondering if the IT gave me the right access on AD...
>>> The ldap search is not returning any userPassword or unicodePwd field
>>> (AD equivalent of ldap userPassword as I found on the web).
>>>
>>> Should an ldap search return one of these field if I had sufficient
>>> access?
>>
>> No, ActiveDirectory never returns this information through LDAP.
>
> Thanks for such a rapid answer :)
>
> Then I'll have to find out where is the bug in my conf.

I did a pcap trace of the interaction between saslauthd and Active
Directory.

With the config I previously posted (ldap_auth_method: bind), saslauthd:

* Binds to the LDAP server using a simple bind, with the specified "dn" and
   password
* Searches for the user's entry using the specified base and filter, or the
   equivalent of:

ldapsearch -x -H ldap://192.0.2.1 -D Administrator at example.com -w \
secret -b OU=Users,OU=BTC,dc=example,dc=com "(sAMAccountName=dan)" dn

dn: CN=Dan White,OU=Screen saver immunity,OU=Users,OU=BTC,DC=example,DC
  =com

* Performs a 2nd simple bind, using the dn returned from the search, and
   password that was specified by the user, such as:

ldapsearch -x -H ldap://192.0.2.1 -D "CN=Dan White,OU=Screen saver \
immunity,OU=Users,OU=BTC,DC=example,DC=com" -w usersecret -b \
OU=Users,OU=BTC,dc=example,dc=com

It doesn't really specify a base, but I specified it for the ldapsearch
command to return results.

So apparently if the second bind succeeds, then saslauthd returns success.

-- 
Dan White


More information about the Cyrus-sasl mailing list