SASL binds - Rambling...

Arran Cudbard-Bell a.cudbardb at
Mon Feb 23 21:34:18 CET 2015

Does anyone have a use for SASL binds in LDAP?

I added an option to call ldap_sasl_bind for 3.0.7 but that was mostly to allow EXTERNAL auth for when FreeRADIUS is talking to LDAP over a unix socket, or authenticating with a client certificate.

I was mainly looking at it to use NTLM binds against AD. But looking at MSCHAPv2 and NTLM auth, they're not compatible.

It's still potentially useful to get access to the SSPI interface on AD via LDAP, which might allow custom LSA plugins to be called. I'm not sure if a custom LSA plugin could be developed that could be used to implement the authenticator response part of MSCHAPv2, but that could potentially allow very fast authentication against AD.

Has anyone used the LSA interface before, could a plugin be written to do that?

As a result of playing about with libldap/SASL I now have some code that calls ldap_sasl_interactive_bind, implements an interact callback, and feeds back values for the standard challenges to get the auth/autz identity, the realm and the password.

Has anyone been secretly hoping/wishing that one day rlm_ldap might be able to do SASLy things?

#  SASL parameters to use for user binds
#  When we're prompted by the SASL library, these control
#  the responses given.
#  Any of the config items below may be an attribute ref
#  or and expansion, so different SASL mechs, proxy IDs
#  and realms may be used for different users.
sasl_mech = 'PLAIN EXTERNAL FOO'
sasl PLAIN {
	identity = &User-Name

	# SASL authorisation identity to proxy.
#	proxy = &Another-User-Name

	# SASL realm. Used for kerberos.
#	realm = ''


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Devel mailing list