Ldapdb auxprop plugin, proxy authentication and Active Directory

Dan White dwhite at olp.net
Tue Nov 12 11:37:04 EST 2013


On 11/11/13 16:59 -0800, Henry wrote:
>I am trying to write a custom application that uses cyrus-sasl to
>authenticate on behalf of its users with Active Directory via the ldapdb
>auxprop plugin. I am running in to problems with proxy authentication.
>
>Reading the ldapdb source code, I see the following line in ldapdb_connect:
>
>cp->c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
>
>shortly before ldap_sasl_interactive_bind which fails with error 49
>(invalid credentials).
>
>It seems that Active Directory (up to 2008, at least) doesn't support this
>oid. Is it therefore impossible to use the ldapdb auxprop plugin to
>authenticate against Active Directory? If so, are there alternative
>mechanisms I could use instead?

Other than proxy authentication, you will also need to retrieve the
cleartext password from AD, which is not possible as far as I know (the
userPassword attribute is not retrievable).

Other options that come to mind:

Use saslauthd, with its ldap backend
Use saslauthd, with it's pam backend, using an ldap pam module
gienger ldap auxprop plugin (external patch). I'm unsure if this works with
AD.

>My app's sasl conf file follows:
>
>log_level: 65535
>pwcheck_method: auxprop
>auxprop_plugin: ldapdb
>mech_list: PLAIN
>ldapdb_uri: ldap://**********
>ldapdb_id: dn:CN=****,CN=users,DC=****-ad,DC=local
>ldapdb_pw: ****
>ldapdb_mech: DIGEST-MD5
>ldapdb_starttls: try

-- 
Dan White


More information about the Cyrus-sasl mailing list