Re: Cyrus-SASL using LDAP

From: Jeremy Rumpf (jrumpf at heavyload dot net)
Date: Tue Mar 23 2004 - 14:39:43 EST

  • Next message: Jeremy Rumpf: "Re: Problem Creating sasldb2"

    On Tuesday 23 March 2004 12:18 pm, Andreas wrote:
    > On Tue, Mar 23, 2004 at 09:02:19AM -0500, Etienne Goyer wrote:
    > > On Tue, Mar 23, 2004 at 09:21:04AM +0100, Morten Olsen wrote:
    > > > AD does not allow simple binds. You need to use Kerberos/GSSAPI (on the
    > > > server
    > >
    > > Not true. I am not an AD person either, but I do simple bind to an AD
    >
    > Correct. AD just doesn't like anonymous binds, and just won't allow clear
    > text connections for operations like password changing if I'm not mistaken.

    I'm not an AD person either, but this has been my experience as well. AD does
    not allow anonymous binds, but will allow simple binds for searches. For
    advanced stuff, like changing passwords, you have to go beyond simple binds
    and use KRB/GSSAPI auth.

    The key is to add a normal user to the system, then strip down it's security
    privs (no console logons, etc). Then in the AD admin tool, right click on the
    folder that corresponds to the base_dn you'll be querying. There's an option
    called something like "delegation" IIRC. Add the designated user you've
    created and delegate it "read" privs on that section of the AD tree.

    You should now be able to do a simple bind using the DN of the read only user.
    This will allow saslauthd to work using the "bind" ldap_auth_method.
    "fastbind" method may be possible to get working, but I've never done it
    personally.

    Cheers,
    Jeremy


  • Next message: Jeremy Rumpf: "Re: Problem Creating sasldb2"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD