On to, 22 joulu 2016, Brian Candler wrote:
Question: does FreeIPA (or specifically the 389 directory server) implement the NTLM SASL mechanism?
No, it doesn't. Even if you install cyrus-sasl-ntlm module, 389-ds will
not be able to authenticate:
[22/Dec/2016:14:16:08.920773153 +0200] conn=20 fd=109 slot=109 SSL connection 
from 192.168.5.196 to 192.168.5.196
[22/Dec/2016:14:16:08.926439405 +0200] conn=20 TLS1.2 128-bit AES
[22/Dec/2016:14:16:08.929793115 +0200] conn=20 op=0 BIND 
dn="uid=foobar,cn=users,cn=accounts,dc=split,dc=test" method=sasl version=3 
mech=NTLM
[22/Dec/2016:14:16:08.930458789 +0200] conn=20 op=0 RESULT err=14 tag=97 
nentries=0 etime=0, SASL bind in progress
[22/Dec/2016:14:16:11.841985315 +0200] conn=20 op=1 BIND 
dn="uid=foobar,cn=users,cn=accounts,dc=split,dc=test" method=sasl version=3 
mech=NTLM
[22/Dec/2016:14:16:11.843719821 +0200] conn=20 op=1 RESULT err=49 tag=97 nentries=0 etime=0 - SASL(-14): authorization failure: [22/Dec/2016:14:16:11.843761905 +0200] conn=20 op=2 UNBIND
[22/Dec/2016:14:16:11.843771888 +0200] conn=20 op=2 fd=109 closed - U1

The reason for that is due to how SASL support is implemented in 389-ds:
it only supports those SASL mechanisms which don't require direct
access to the userPassword attribute (GSSAPI). Alternatively, if
userPassword contains a clear-text password, those SASL mechanisms that
require access to the clear text password will also work.

FreeIPA does not store clear text password, so no chance for SASL
DIGEST-MD5 or SASL NTLM.

-=-=-=-

The reason I'm asking: I'm using FreeRADIUS for MSCHAP authentication, and one of the things MSCHAP supports is a password change feature for expired passwords. FreeRADIUS lets me shell out to an external process to perform the password change:

local_cpw = "%{exec:/usr/local/sbin/freeipa-passwd '%{mschap:User-Name}' '%{MS-CHAP-New-Cleartext-Password}' '%{control:NT-Password}'"

Now, the last argument is the user's *old* NTLM password hash. So ideally I would use this to authenticate to the FreeIPA server to perform the password change - this would avoid the freeipa-passwd script having to have any privileged credentials of its own.

But the only way I can think of doing that would be via a SASL NTLM bind.
Sorry, this is not going to work.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to