Re: Help: OpenLdap bindRequest with NTLM authentication makes mailformed message.

Wed, 04 Mar 2015 13:06:18 -0800 

Hi Oleg and Shimi.

I did not describe problem correctly.

This is not Linux sysadm problem.
I am fixing application  running on Debian,

I will take Oleg's advice to see cntlm source.
Today I was surprised by ldapsearch utility ( package ldap-utils) which reports that are several authentication mechanism available on AD server, 
like GSS-API, KERBEROS, OTP
but it did not listed  NTLM  !!!
on the other hand I see that ad browser from sysinternals suite for windows do use NTLM ( wireshark sees it) 


So I am confused now :
Can linux use NTLM as some backdoor method, or only windows can use it?
Perhaps NTLM plugin of openldap library is usable only on LDAP server to authenticate windows clients? 


L.


On 04/03/2015 00:12, shimi wrote:
On Tue, Mar 3, 2015 at 10:20 PM, Lev Olshvang <lols...@012.net.il <mailto:lols...@012.net.il>> wrote: 


    Hello Alll,


    Does anybody have example or can advice how to perform NTLM
    authentication of Linux client toward Microsoft AD service?


    I calledd ldap_ntlm_bind() to do the Job, but
    Wireshark can not fully recognize these message and prints
    "mailformed"

    And following
    ldap_parse_ntlm_bind_result() returns with Authentication error.


    Unfortunately these functions are not documented, perhaps I pass
    wrong parameters.


    Actually I pass
    ldap_ntlm_bind(ld, dn, LDAP_AUTH_NTLM_REQUEST, cred, NULL, NULL,
    msgidp);
    I put password in cred structure and user parameter as part of dn
    string,
    like "user=NTDOMAIN\lev, cn=myhost,dn=com"


    Many thanks and Hag Sameah,
Tried already the 'regular' way (https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto) and saw if that works? Maybe the issue is not with your code...
Not that I am sure what are you trying to do beyond just authenticating (if it's just login or similar, why really not with winbind through PAM?) - maybe I got it all wrong :-)
IIRC, to use LDAP towards an AD server, it must be a GlobalCatalog - you should make sure that is the case (as well as the right port for the job, whether encryption is used or not, etc etc.). But this is ancient history, so I hope I am not misleading you. 

-- Shimi





_______________________________________________
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Reply via email to