[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: rewrite a login into a dn in simple bind



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Francois Beretti

> Hi Howard,

> sorry for talking about configuration problems, it is mainly
> a security problem

Yes, understood.

> >>Yes, I thought of it about a second after my boss asked it
> to me, but...
> >>it's hard to say... I _must_ use Microsoft's ADSI API to
> talk with the
> >>server, and this poor thing can't use SASL (AFAIK) :(

> > You need to learn more about ADSI and how Microsoft
> > implemented their LDAP client.
> >
> http://msdn.microsoft.com/library/default.asp?url=/library/en-
> us/netdir/adsi/
> > adsopenobject.asp
>
> in this page I don't see any ability to use SASL mechanism

It is not spelled out explicitly, but here are the facts:

>>>With the LDAP provider for Active Directory, you may pass in lpszUsername
as one of the following strings:

The name of a user account, such as jeffsmith. To use a user name by itself,
you must set only the ADS_SECURE_AUTHENTICATION flag in the lnReserved
parameter.
<<<
The ADSI is taking a username and securely binding to an LDAP directory - not
just to Active Directory, but to *any* LDAP directory. The only way that the
LDAP protocol allows this is through the use of SASL. No other possibility
exists in the LDAP specification. Also note that using an account name is
only allowed in ADSI when you request Secure Authentication. Again - binding
with a user account name is not possible using LDAP Simple Bind. Until you
understand that these facts are true you will not make any progress on your
project.

> For GSSAPI I need a kerberos architecture, and the customer
> may want not to use the microsoft's one to store its security data

But if they already have Kerberos installed, your tool should allow it to be
used.

> (Do I need to say that some people don't like MS very much ? :) )

Then perhaps they should throw away their Windows clients as well, thus
neatly solving this problem from the start.

> As you said, DIGEST-MD5 is only supported by windows XP, so I
> can't use it, as many companies use W2k.

Perhaps you should look for a DIGEST-MD5 module for W2k...

> And as I said, DIGEST-MD5 doesn't seem to be supported by ADSI api

Just because ADSI doesn't let you request it directly doesn't mean it won't
let you use it. A SASL client uses the best mechanism that is in common
between itself and the server. If DIGEST-MD5 is the only mechanism in common,
it will be used.

> yes, for me SASL is the perfect method, but I seem not to be
> able to use it, since I must (for the moment) use ADSI api.

Then you must spend some more time to learn how the ADSI api really works.

> My last hope is a module of openldap that could let me modify the dn
> used in the bind, to translate a login name into a well formed dn

Let us assume that you use OpenLDAP back-ldap or back-meta to assist with
this problem. The only way to map from a username to a DN is to either
perform a SASL bind with that username, or to search for the entry that owns
that username. So again this means that
  (a) the remote server must support SASL
or
  (b) the remote server must allow an arbitrary client to bind and search its
contents

Also case (a) is only useful if the remote server supports the WhoAmI
extended operation. Otherwise you must do (b). If the remote server does not
allow anonymous binds and searches of the necessary attributes, then you must
provide the OpenLDAP module with an application ID and credential for binding
to the remote server. But you have already said that using an application
account is not allowed.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support