On 11/11/13 16:59 -0800, Henry wrote:
I am trying to write a custom application that uses cyrus-sasl to authenticate on behalf of its users with Active Directory via the ldapdb auxprop plugin. I am running in to problems with proxy authentication. Reading the ldapdb source code, I see the following line in ldapdb_connect: cp->c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ; shortly before ldap_sasl_interactive_bind which fails with error 49 (invalid credentials). It seems that Active Directory (up to 2008, at least) doesn't support this oid. Is it therefore impossible to use the ldapdb auxprop plugin to authenticate against Active Directory? If so, are there alternative mechanisms I could use instead?
Other than proxy authentication, you will also need to retrieve the cleartext password from AD, which is not possible as far as I know (the userPassword attribute is not retrievable). Other options that come to mind: Use saslauthd, with its ldap backend Use saslauthd, with it's pam backend, using an ldap pam module gienger ldap auxprop plugin (external patch). I'm unsure if this works with AD.
My app's sasl conf file follows: log_level: 65535 pwcheck_method: auxprop auxprop_plugin: ldapdb mech_list: PLAIN ldapdb_uri: ldap://********** ldapdb_id: dn:CN=****,CN=users,DC=****-ad,DC=local ldapdb_pw: **** ldapdb_mech: DIGEST-MD5 ldapdb_starttls: try
-- Dan White
