On Tue, Nov 12, 2013 at 8:37 AM, Dan White <dwh...@olp.net> wrote: > On 11/11/13 16:59 -0800, Henry wrote: > >> I am trying to write a custom application that uses cyrus-sasl to >> authenticate on behalf of its users with Active Directory via the ldapdb >> auxprop plugin. I am running in to problems with proxy authentication. >> >> Reading the ldapdb source code, I see the following line in >> ldapdb_connect: >> >> cp->c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ; >> >> shortly before ldap_sasl_interactive_bind which fails with error 49 >> (invalid credentials). >> >> It seems that Active Directory (up to 2008, at least) doesn't support this >> oid. Is it therefore impossible to use the ldapdb auxprop plugin to >> authenticate against Active Directory? If so, are there alternative >> mechanisms I could use instead? >> > > Other than proxy authentication, you will also need to retrieve the > cleartext password from AD, which is not possible as far as I know (the > userPassword attribute is not retrievable). > > Other options that come to mind: > > Use saslauthd, with its ldap backend > Use saslauthd, with it's pam backend, using an ldap pam module > gienger ldap auxprop plugin (external patch). I'm unsure if this works with > AD. > > Thanks for the quick reply. Unfortunately saslauthd is not practical for our environment, otherwise that's clearly a preferred route. I also can't assume GSSAPI, although I'll be sure to allow that if it's available.
I think I'm going to have to write my own auxprop plugin that does the following (which is hopefully possible in some form): 1. Binds as a standard service user. 2. Retrieves the DN for the user to be authenticated. 3. Binds as that user using the retrieved DN and user-supplied password. Thanks for the pointers to the gienger auxprop plugin. At the very least that will work as a starting point for the plugin I may have to write. Henry > > My app's sasl conf file follows: >> >> log_level: 65535 >> pwcheck_method: auxprop >> auxprop_plugin: ldapdb >> mech_list: PLAIN >> ldapdb_uri: ldap://********** >> ldapdb_id: dn:CN=****,CN=users,DC=****-ad,DC=local >> ldapdb_pw: **** >> ldapdb_mech: DIGEST-MD5 >> ldapdb_starttls: try >> > > -- > Dan White >
