[Freeipa-users] NTLM SASL?

Alexander Bokovoy abokovoy at redhat.com
Thu Dec 22 12:36:47 UTC 2016 

On to, 22 joulu 2016, Brian Candler wrote:
>Question: does FreeIPA (or specifically the 389 directory server) 
>implement the NTLM SASL mechanism?
No, it doesn't. Even if you install cyrus-sasl-ntlm module, 389-ds will
not be able to authenticate:
[22/Dec/2016:14:16:08.920773153 +0200] conn=20 fd=109 slot=109 SSL connection from 192.168.5.196 to 192.168.5.196
[22/Dec/2016:14:16:08.926439405 +0200] conn=20 TLS1.2 128-bit AES
[22/Dec/2016:14:16:08.929793115 +0200] conn=20 op=0 BIND dn="uid=foobar,cn=users,cn=accounts,dc=split,dc=test" method=sasl version=3 mech=NTLM
[22/Dec/2016:14:16:08.930458789 +0200] conn=20 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[22/Dec/2016:14:16:11.841985315 +0200] conn=20 op=1 BIND dn="uid=foobar,cn=users,cn=accounts,dc=split,dc=test" method=sasl version=3 mech=NTLM
[22/Dec/2016:14:16:11.843719821 +0200] conn=20 op=1 RESULT err=49 tag=97 nentries=0 etime=0 - SASL(-14): authorization failure: 
[22/Dec/2016:14:16:11.843761905 +0200] conn=20 op=2 UNBIND
[22/Dec/2016:14:16:11.843771888 +0200] conn=20 op=2 fd=109 closed - U1

The reason for that is due to how SASL support is implemented in 389-ds:
it only supports those SASL mechanisms which don't require direct
access to the userPassword attribute (GSSAPI). Alternatively, if
userPassword contains a clear-text password, those SASL mechanisms that
require access to the clear text password will also work.

FreeIPA does not store clear text password, so no chance for SASL
DIGEST-MD5 or SASL NTLM.

>-=-=-=-
>
>The reason I'm asking: I'm using FreeRADIUS for MSCHAP authentication, 
>and one of the things MSCHAP supports is a password change feature for 
>expired passwords. FreeRADIUS lets me shell out to an external process 
>to perform the password change:
>
>                local_cpw = "%{exec:/usr/local/sbin/freeipa-passwd 
>'%{mschap:User-Name}' '%{MS-CHAP-New-Cleartext-Password}' 
>'%{control:NT-Password}'"
>
>Now, the last argument is the user's *old* NTLM password hash. So 
>ideally I would use this to authenticate to the FreeIPA server to 
>perform the password change - this would avoid the freeipa-passwd 
>script having to have any privileged credentials of its own.
>
>But the only way I can think of doing that would be via a SASL NTLM bind.
Sorry, this is not going to work.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list