[Freeipa-users] NTLM SASL?
Brian Candler
b.candler at pobox.com
Thu Dec 22 11:42:01 UTC 2016
Question: does FreeIPA (or specifically the 389 directory server)
implement the NTLM SASL mechanism?
It appears not at first attempt:
# yum install cyrus-sasl-ntlm
# ldapsearch -Y NTLM
SASL/NTLM authentication started
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
additional info: sasl mechanism not supported
Now, under cn=config, I see:
nsslapd-allowed-sasl-mechanisms:
(i.e. empty).
I tried changing this to "NTLM" and it accepted the change. If I try
changing it to "ntlm" I get "Server is unwilling to perform" - which is
a good sign, since clearly "NTLM" is valid.
However even after restarting the server, I still get "sasl mechanism
not supported" when I try the bind.
-=-=-=-
The reason I'm asking: I'm using FreeRADIUS for MSCHAP authentication,
and one of the things MSCHAP supports is a password change feature for
expired passwords. FreeRADIUS lets me shell out to an external process
to perform the password change:
local_cpw = "%{exec:/usr/local/sbin/freeipa-passwd
'%{mschap:User-Name}' '%{MS-CHAP-New-Cleartext-Password}'
'%{control:NT-Password}'"
Now, the last argument is the user's *old* NTLM password hash. So
ideally I would use this to authenticate to the FreeIPA server to
perform the password change - this would avoid the freeipa-passwd script
having to have any privileged credentials of its own.
But the only way I can think of doing that would be via a SASL NTLM bind.
Regards,
Brian.
More information about the Freeipa-users
mailing list