On to, 22 joulu 2016, Brian Candler wrote:
Question: does FreeIPA (or specifically the 389 directory server) implement the NTLM SASL mechanism?
No, it doesn't. Even if you install cyrus-sasl-ntlm module, 389-ds will
not be able to authenticate:
[22/Dec/2016:14:16:08.920773153 +0200] conn=20 fd=109 slot=109 SSL connection 
from to
[22/Dec/2016:14:16:08.926439405 +0200] conn=20 TLS1.2 128-bit AES
[22/Dec/2016:14:16:08.929793115 +0200] conn=20 op=0 BIND 
dn="uid=foobar,cn=users,cn=accounts,dc=split,dc=test" method=sasl version=3 
[22/Dec/2016:14:16:08.930458789 +0200] conn=20 op=0 RESULT err=14 tag=97 
nentries=0 etime=0, SASL bind in progress
[22/Dec/2016:14:16:11.841985315 +0200] conn=20 op=1 BIND 
dn="uid=foobar,cn=users,cn=accounts,dc=split,dc=test" method=sasl version=3 
[22/Dec/2016:14:16:11.843719821 +0200] conn=20 op=1 RESULT err=49 tag=97 nentries=0 etime=0 - SASL(-14): authorization failure: [22/Dec/2016:14:16:11.843761905 +0200] conn=20 op=2 UNBIND
[22/Dec/2016:14:16:11.843771888 +0200] conn=20 op=2 fd=109 closed - U1

The reason for that is due to how SASL support is implemented in 389-ds:
it only supports those SASL mechanisms which don't require direct
access to the userPassword attribute (GSSAPI). Alternatively, if
userPassword contains a clear-text password, those SASL mechanisms that
require access to the clear text password will also work.

FreeIPA does not store clear text password, so no chance for SASL


The reason I'm asking: I'm using FreeRADIUS for MSCHAP authentication, and one of the things MSCHAP supports is a password change feature for expired passwords. FreeRADIUS lets me shell out to an external process to perform the password change:

local_cpw = "%{exec:/usr/local/sbin/freeipa-passwd '%{mschap:User-Name}' '%{MS-CHAP-New-Cleartext-Password}' '%{control:NT-Password}'"

Now, the last argument is the user's *old* NTLM password hash. So ideally I would use this to authenticate to the FreeIPA server to perform the password change - this would avoid the freeipa-passwd script having to have any privileged credentials of its own.

But the only way I can think of doing that would be via a SASL NTLM bind.
Sorry, this is not going to work.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to