Question: does FreeIPA (or specifically the 389 directory server) implement the NTLM SASL mechanism?

It appears not at first attempt:

# yum install cyrus-sasl-ntlm
# ldapsearch -Y NTLM
SASL/NTLM authentication started
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
    additional info: sasl mechanism not supported

Now, under cn=config, I see:


(i.e. empty).

I tried changing this to "NTLM" and it accepted the change. If I try changing it to "ntlm" I get "Server is unwilling to perform" - which is a good sign, since clearly "NTLM" is valid.

However even after restarting the server, I still get "sasl mechanism not supported" when I try the bind.


The reason I'm asking: I'm using FreeRADIUS for MSCHAP authentication, and one of the things MSCHAP supports is a password change feature for expired passwords. FreeRADIUS lets me shell out to an external process to perform the password change:

local_cpw = "%{exec:/usr/local/sbin/freeipa-passwd '%{mschap:User-Name}' '%{MS-CHAP-New-Cleartext-Password}' '%{control:NT-Password}'"

Now, the last argument is the user's *old* NTLM password hash. So ideally I would use this to authenticate to the FreeIPA server to perform the password change - this would avoid the freeipa-passwd script having to have any privileged credentials of its own.

But the only way I can think of doing that would be via a SASL NTLM bind.



Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to