Mailing List CGatePro@mail.stalker.com Message #92413
From: Bret Miller <bret.miller@wcg.org>
Subject: RE: authLDAPNew2.pl with AD
Date: Fri, 31 Aug 2007 13:44:29 -0700
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pro MAPI Connector 1.2.12/1.2.12(local)
> I'm trying to get things figured out with authenticating against my AD
> server (windows 2003 SP2) for users who are out of my office.
> As it stands
> now I'm able to authenticate locally and over the VPN's using
> Kerberos. This
> is not the case for web-users, and obviously, Pronto! My main
> concern is that the password be encrypted and secure.
>
> I downloaded the new authLDAPNew2.pl script and added it as
> an external
> authenticator. I disabled the internal CGP password for the
> user and then try to log in.

AFAIK, authLDAPNew2.pl addresses SASL login with directories that can provide the plain text password to CGPro. The problem is that Microsoft Active Directory will not provide that information, so challenge-response type login is not possible.

And at this point, the only possibility for using a secure password with CGPro in an AD environment is to use CGPro's own password. It's a pain, I know. So, what possible solutions do you have?

Well, we use plain text auth with external auth that copies to the cgpro password. BUT, that's not really secure unless the password is passed over SSL.

You could create a "synchronize password" page that would be SSL-protected where a user would enter his email and password, you'd validate the password against AD and then set the CGPro password to match. It's a crude workaround, but there's not much else you can do if you want both secure authentication AND integration with AD.

>
> Here's the error I'm getting in the logs:
>
> 14:22:29.722 5 XIMSS new VStream created, n=1
> 14:22:29.722 5 XIMSS stream thread started
> 14:22:29.722 4 XIMSSI-000004([192.168.0.132]) got connection on
> [192.168.0.30]:8100(mail.aimengr.com) from [192.168.0.132]:2942
> 14:22:29.722 5 XIMSSI-000004([192.168.0.132]) inp(9): <XIMSS/>\000
> 14:22:29.722 5 XIMSSI-000004([192.168.0.132]) out: <XIMSS
> domain="mail.aimengr.com" server="CommuniGate Pro"
> version="5.1.12"/>\000
> 14:22:29.723 5 XIMSSI-000004([192.168.0.132]) inp(35): <login id="L1"
> method="CRAM-MD5"/>\000
> 14:22:29.723 5 XIMSSI-000004([192.168.0.132]) SASL-0(CRAM-MD5) out:
> <4.1188498149@mail.aimengr.com>
> 14:22:29.723 5 XIMSSI-000004([192.168.0.132]) out: <challenge
> value="PDQuMTE4ODQ5ODE0OUBtYWlsLmFpbWVuZ3IuY29tPg=="/>\000
> 14:22:29.886 5 XIMSSI-000004([192.168.0.132]) inp(101): <auth id="L1"
> value="YWt1bmtsZUBtYWlsLmFpbWVuZ3IuY29tIGI5ZWNlN2U2ZmNjNjBlZjk
> zMmQ1MWQ0MjRiN
> mFiZmQz"/>\000
> 14:22:29.886 5 XIMSSI-000004([192.168.0.132]) SASL-0(CRAM-MD5) inp:
> akunkle@mail.aimengr.com b9ece7e6fcc60ef932d51d424b6abfd3
> 14:22:29.887 1 EXTAUTH failed: SASL(CRAM-MD5) (XIMSS)
> akunkle@mail.aimengr.com b9ece7e6fcc60ef932d51d424b6abfd3
> "<4.1188498149@mail.aimengr.com>" [192.168.0.132]. Error Code=external
> helper output closed
> 14:22:29.887 1 EXTAUTH akunkle@mail.aimengr.com(XIMSS)
> password verification
> failed. Error Code=external helper output closed
> 14:22:29.887 1 ACCOUNT(akunkle) login(XIMSS) from
> [192.168.0.132] failed.
> Error Code=incorrect password
> 14:22:31.890 5 XIMSSI-000004([192.168.0.132]) out: <response id="L1"
> errorText="incorrect password or account name" errorNum="515"/>\000
> 14:22:31.890 4 XIMSSI-000004([192.168.0.132]) closing connection
> 14:22:31.890 4 XIMSSI-000004([192.168.0.132]) releasing stream
>
> So I'm thinking it has something to do with the configuration of the
> authLDAPNew2.pl script. Here's the section I'm most lost with
> and I'm sure
> it's wrong. Anyone have any idea of how it should look when
> talking to an AD
> server?
>
> I setup a user in the root of AD named cgatebind  and that's
> the one I was
> going to use with this script.
>
> my @ldap_servers=(  # you can specify multiple LDAP servers here
> { address=>'192.168.0.25',     # the address or IP of LDAP server
>   port=>389,                # LDAP port, 389 by default
>   timeout=>5,               # timeout in seconds, 20 by default
>   adminDN=>'cn=cgatebind,dc=aimengr,dc=com',  # the DN for admin bind
>   adminPassword=>'xxxxxxx',
>   searchBase=>'dc=aimengr,dc=com',  # search base for NEW and
> SASL commands
>   searchFilter=>'(&(uid=cgatebind)(objectclass=*))',
>   bindDN=>'cn=cgatebind,dc=aimengr,dc=com', # the account DN
> for direct bind
> for VRFY command
> },
>
> Any ideas would be greatly appreciated. I feel like this is
> the last piece
> to the puzzle. Once I have this working, I can really think
> about moving forward with the purchase of CGPro.

Bret




Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster