On 31/03/10 11:08 +0200, Geoff wrote:
Le 31/03/2010 10:34, Howard Chu a écrit :
Geoff wrote:
[...]
I'm wondering if the IT gave me the right access on AD...
The ldap search is not returning any userPassword or unicodePwd field
(AD equivalent of ldap userPassword as I found on the web).
Should an ldap search return one of these field if I had sufficient
access?
No, ActiveDirectory never returns this information through LDAP.
Thanks for such a rapid answer :)
Then I'll have to find out where is the bug in my conf.
I did a pcap trace of the interaction between saslauthd and Active
Directory.
With the config I previously posted (ldap_auth_method: bind), saslauthd:
* Binds to the LDAP server using a simple bind, with the specified "dn" and
password
* Searches for the user's entry using the specified base and filter, or the
equivalent of:
ldapsearch -x -H ldap://192.0.2.1 -D Administrator@xxxxxxxxxxx -w \
secret -b OU=Users,OU=BTC,dc=example,dc=com "(sAMAccountName=dan)" dn
dn: CN=Dan White,OU=Screen saver immunity,OU=Users,OU=BTC,DC=example,DC
=com
* Performs a 2nd simple bind, using the dn returned from the search, and
password that was specified by the user, such as:
ldapsearch -x -H ldap://192.0.2.1 -D "CN=Dan White,OU=Screen saver \
immunity,OU=Users,OU=BTC,DC=example,DC=com" -w usersecret -b \
OU=Users,OU=BTC,dc=example,dc=com
It doesn't really specify a base, but I specified it for the ldapsearch
command to return results.
So apparently if the second bind succeeds, then saslauthd returns success.
--
Dan White