Steve Clark wrote:
Hi Peter,
"Peter Marschall" <[EMAIL PROTECTED]> wrote in message
news:<[EMAIL PROTECTED]>...
Hi Steve,
On Thursday 04 August 2005 11:52, SteveC wrote:
I have been trying to authenticate to an Active Directory LDAP server
using
Authen::SASL::Perl::DIGEST_MD5 and am failing. Using OpenLDAP's
ldapsearch
and the -Y DIGEST-MD5 command line option, I can authenticate with no
problem -- so the credentials I am using are certainly correct.
However,
with the script below I get an error code 49 -- invalid credentials.
...
The only thing of note in the AD environment is that we have multiple
domain controllers. This lead me to look at the 'serv' callback
parameter,
as that appears to be used when there is a replicated service. One thing
I
have noticed while investigating this, is that there appears to be a bug
in
the 'serv' parameter handling of the DIGEST_MD5 module. When this
parameter is present, the module appends the value to digest_uri (note
the
underscore), it should do so to digest-uri. However, even when I change
the module and try to use this parameter I still get the same
authentication problem. [In my testing with ther 'serv' parameter, the
$host is the fqdn of a domain controller, and the serv value was the
name
of the domain I am trying to authenticate to.]
I guess you are right with digest-uri vs. digest_uri
A few questions / requests:
- Did you replace both occurrences of 'digest_uri' with 'digest-uri' ?
- Did you try the script with Authen::SASL::Cyrus as Backend ?
- Did you check the communication for the different implementations
on the wire ?
If not, would you mind to do so ?
Thank you for your help
Peter
--
Peter Marschall
eMail: [EMAIL PROTECTED]
Wrt your points above:
- I only saw one instance of 'digest_uri' -- I have checked on the CPAN
site (in source DIGEST_MD5) and that is all that I can spot there as well.
All the other occurences are the correct 'digest-uri'.
- The reason I was trying the Perl version of the DIGEST-MD5 SASL
authentication was that I am having even more problems with the Cyrus
version! I have downloaded and installed the most recent version (the
0.13-server version) ---built against cyrus SASL2. But when I try to use it
(the same test script as my original post except removing the qw/Perl/) I
get a 'Local error' message -- there is no network activity -- hence my
'even more problems' comment!
- I don't have access to the test environment at the moment, but from what I
remember, when using ldapsearch the DIGEST authentication actually selects
'auth-conf', whereas the perl module selects 'auth'.
Steve
It looks like I have got into the habit of replying to myself -- sorry
for the noise I am generating.
I have looked into the third of the above bullets and I think that I
have found out what is going on. In summary:
- When using ldapsearch, although I thought that I was binding to AD
with my UPN ([EMAIL PROTECTED]), ldapsearch was acually using my UNIX
account name, userid_2 (which is unfortunaley different from the prefiz
of my UPN, but is the same as the AD attribute sAMAccountName). It was
using this to authenticate to AD with the DIGEST-MD5 SASL method --
selecting auth-conf as I noted above.
- In my perl script, when I now use the sAMAccountname value (my UNIX
id) I can successfully authenticate. AD then compplains that I am only
using auth -- the domain security policy required auth-int or better (or
to run under SSL/TLS).
This now leaves me with a puzzle:
- Why is AD refusing to authenticate me using my UPN? According to the
AD documentation (for W2k3) digest hashes are calculated for a number
variants of alternate names (UPN and derivations of sAMAccountName) --
so why does it fail to allow me to log on -- evenn though it has
obviously 'matched' my account as after several attempts my account is
locked out.
- Presumably I am now going to need to get Authen::SASL::Cyrus working
so that I can use auth-int or auth-conf and so comform to our Domain
security policy (I could also use SSL/TLS but at present we don't have
that configured on our domain controllers). Any ideas on why the Cyrus
SASL gives 'Local error' even before generating any network traffic? I
certainly have digestmd5 enabled, and SASL2.
Steve
