Performing LDAP Binds With NTLM

With either a Windows Active Directory server or a Samba4 Active Directory server very little information is exposed for anonymous searches via LDAP.  This means every search has to bind.  Simple binds are insecure and in many cases not supported - for good reason, they are hopelessly insecure.  But often times one doesn't want to bother with Kerberos (even as great as Kerberos is) due to ticket expiration, keytab paths, etc...
One alternative that works well is to bind using NTLM.  All modern distributions should have the SASL NTLM available, although perhaps not installed by default.  To specify a bind mechanism use the "-Y" option, and if your username on the local machine differs from your domain username specify your username with "-U" upper-case.  Specification of SASL bind paramters is entirely separate from the specification of the bind parameters for SIMPLE binds (with use "-D", etc...).

ldapsearch  -Y ntlm -U fred -h dc1,example.com -b 'dc=example,dc=com' uid=fred
SASL/NTLM authentication started
Please enter your password: *****************

Text 1: An NTML bind with ldapsearch, as user "fred"
 If you see a message like:
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
    additional info: SASL(-4): no mechanism available: No worthy mechs found
 - then your SASL installation does not support NTLM.  Most likely you do not have the correct package installed.  On openSUSE the required package is cyrus-sasl-ntlm.  Distributions tend to package support for each SASL mechanism separately.
It should be noted that NTLM is not a perfect, or perfectly secure, authorization solution; but it fills a gap in cases where Kerberos isn't applicable.  It is certainly superior to SIMPLE binding, at least because cumbersome LDAP DNs are not involved.

No comments:

Post a Comment