From: Jeremy Rumpf (jrumpf at heavyload dot net)
Date: Tue Mar 23 2004 - 14:39:43 EST
On Tuesday 23 March 2004 12:18 pm, Andreas wrote:
> On Tue, Mar 23, 2004 at 09:02:19AM -0500, Etienne Goyer wrote:
> > On Tue, Mar 23, 2004 at 09:21:04AM +0100, Morten Olsen wrote:
> > > AD does not allow simple binds. You need to use Kerberos/GSSAPI (on the
> > > server
> >
> > Not true. I am not an AD person either, but I do simple bind to an AD
>
> Correct. AD just doesn't like anonymous binds, and just won't allow clear
> text connections for operations like password changing if I'm not mistaken.
I'm not an AD person either, but this has been my experience as well. AD does
not allow anonymous binds, but will allow simple binds for searches. For
advanced stuff, like changing passwords, you have to go beyond simple binds
and use KRB/GSSAPI auth.
The key is to add a normal user to the system, then strip down it's security
privs (no console logons, etc). Then in the AD admin tool, right click on the
folder that corresponds to the base_dn you'll be querying. There's an option
called something like "delegation" IIRC. Add the designated user you've
created and delegate it "read" privs on that section of the AD tree.
You should now be able to do a simple bind using the DN of the read only user.
This will allow saslauthd to work using the "bind" ldap_auth_method.
"fastbind" method may be possible to get working, but I've never done it
personally.
Cheers,
Jeremy
|
|
|