Re: Ldapdb auxprop plugin, proxy authentication and Active Directory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On 11/11/13 16:59 -0800, Henry wrote:
I am trying to write a custom application that uses cyrus-sasl to
authenticate on behalf of its users with Active Directory via the ldapdb
auxprop plugin. I am running in to problems with proxy authentication.

Reading the ldapdb source code, I see the following line in ldapdb_connect:

cp->c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;

shortly before ldap_sasl_interactive_bind which fails with error 49
(invalid credentials).

It seems that Active Directory (up to 2008, at least) doesn't support this
oid. Is it therefore impossible to use the ldapdb auxprop plugin to
authenticate against Active Directory? If so, are there alternative
mechanisms I could use instead?

Other than proxy authentication, you will also need to retrieve the
cleartext password from AD, which is not possible as far as I know (the
userPassword attribute is not retrievable).

Other options that come to mind:

Use saslauthd, with its ldap backend
Use saslauthd, with it's pam backend, using an ldap pam module
gienger ldap auxprop plugin (external patch). I'm unsure if this works with

My app's sasl conf file follows:

log_level: 65535
pwcheck_method: auxprop
auxprop_plugin: ldapdb
mech_list: PLAIN
ldapdb_uri: ldap://**********
ldapdb_id: dn:CN=****,CN=users,DC=****-ad,DC=local
ldapdb_pw: ****
ldapdb_mech: DIGEST-MD5
ldapdb_starttls: try

Dan White

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux