Ldapdb auxprop plugin, proxy authentication and Active Directory

Henry henry.robinson at gmail.com
Mon Nov 11 19:59:50 EST 2013


Hi -

I am trying to write a custom application that uses cyrus-sasl to
authenticate on behalf of its users with Active Directory via the ldapdb
auxprop plugin. I am running in to problems with proxy authentication.

Reading the ldapdb source code, I see the following line in ldapdb_connect:

cp->c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;

shortly before ldap_sasl_interactive_bind which fails with error 49
(invalid credentials).

It seems that Active Directory (up to 2008, at least) doesn't support this
oid. Is it therefore impossible to use the ldapdb auxprop plugin to
authenticate against Active Directory? If so, are there alternative
mechanisms I could use instead?

My app's sasl conf file follows:

log_level: 65535
pwcheck_method: auxprop
auxprop_plugin: ldapdb
mech_list: PLAIN
ldapdb_uri: ldap://**********
ldapdb_id: dn:CN=****,CN=users,DC=****-ad,DC=local
ldapdb_pw: ****
ldapdb_mech: DIGEST-MD5
ldapdb_starttls: try

Many thanks in advance,

Henry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20131111/82485a12/attachment.html 


More information about the Cyrus-sasl mailing list