Ldapdb auxprop plugin, proxy authentication and Active Directory

Henry henry.robinson at gmail.com
Tue Nov 12 12:35:51 EST 2013


On Tue, Nov 12, 2013 at 8:37 AM, Dan White <dwhite at olp.net> wrote:

> On 11/11/13 16:59 -0800, Henry wrote:
>
>> I am trying to write a custom application that uses cyrus-sasl to
>> authenticate on behalf of its users with Active Directory via the ldapdb
>> auxprop plugin. I am running in to problems with proxy authentication.
>>
>> Reading the ldapdb source code, I see the following line in
>> ldapdb_connect:
>>
>> cp->c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
>>
>> shortly before ldap_sasl_interactive_bind which fails with error 49
>> (invalid credentials).
>>
>> It seems that Active Directory (up to 2008, at least) doesn't support this
>> oid. Is it therefore impossible to use the ldapdb auxprop plugin to
>> authenticate against Active Directory? If so, are there alternative
>> mechanisms I could use instead?
>>
>
> Other than proxy authentication, you will also need to retrieve the
> cleartext password from AD, which is not possible as far as I know (the
> userPassword attribute is not retrievable).
>
> Other options that come to mind:
>
> Use saslauthd, with its ldap backend
> Use saslauthd, with it's pam backend, using an ldap pam module
> gienger ldap auxprop plugin (external patch). I'm unsure if this works with
> AD.
>
>
Thanks for the quick reply. Unfortunately saslauthd is not practical for
our environment, otherwise that's clearly a preferred route. I also can't
assume GSSAPI, although I'll be sure to allow that if it's available.

I think I'm going to have to write my own auxprop plugin that does the
following (which is hopefully possible in some form):

1. Binds as a standard service user.
2. Retrieves the DN for the user to be authenticated.
3. Binds as that user using the retrieved DN and user-supplied password.

Thanks for the pointers to the gienger auxprop plugin. At the very least
that will work as a starting point for the plugin I may have to write.

Henry


>
>  My app's sasl conf file follows:
>>
>> log_level: 65535
>> pwcheck_method: auxprop
>> auxprop_plugin: ldapdb
>> mech_list: PLAIN
>> ldapdb_uri: ldap://**********
>> ldapdb_id: dn:CN=****,CN=users,DC=****-ad,DC=local
>> ldapdb_pw: ****
>> ldapdb_mech: DIGEST-MD5
>> ldapdb_starttls: try
>>
>
> --
> Dan White
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20131112/81b70ba5/attachment.html 


More information about the Cyrus-sasl mailing list