sasl auth against Active Directory
Dan White
dwhite at olp.net
Wed Mar 31 11:10:07 EDT 2010
On 31/03/10 11:08 +0200, Geoff wrote:
> Le 31/03/2010 10:34, Howard Chu a écrit :
>> Geoff wrote:
>>> [...]
>>> I'm wondering if the IT gave me the right access on AD...
>>> The ldap search is not returning any userPassword or unicodePwd field
>>> (AD equivalent of ldap userPassword as I found on the web).
>>>
>>> Should an ldap search return one of these field if I had sufficient
>>> access?
>>
>> No, ActiveDirectory never returns this information through LDAP.
>
> Thanks for such a rapid answer :)
>
> Then I'll have to find out where is the bug in my conf.
I did a pcap trace of the interaction between saslauthd and Active
Directory.
With the config I previously posted (ldap_auth_method: bind), saslauthd:
* Binds to the LDAP server using a simple bind, with the specified "dn" and
password
* Searches for the user's entry using the specified base and filter, or the
equivalent of:
ldapsearch -x -H ldap://192.0.2.1 -D Administrator at example.com -w \
secret -b OU=Users,OU=BTC,dc=example,dc=com "(sAMAccountName=dan)" dn
dn: CN=Dan White,OU=Screen saver immunity,OU=Users,OU=BTC,DC=example,DC
=com
* Performs a 2nd simple bind, using the dn returned from the search, and
password that was specified by the user, such as:
ldapsearch -x -H ldap://192.0.2.1 -D "CN=Dan White,OU=Screen saver \
immunity,OU=Users,OU=BTC,DC=example,DC=com" -w usersecret -b \
OU=Users,OU=BTC,dc=example,dc=com
It doesn't really specify a base, but I specified it for the ldapsearch
command to return results.
So apparently if the second bind succeeds, then saslauthd returns success.
--
Dan White
More information about the Cyrus-sasl
mailing list