https://bugs.openldap.org/show_bug.cgi?id=9547
Issue ID: 9547 Summary: OpenLDAP does not send port as SPN when authenticating SASL GSSAPI Product: OpenLDAP Version: 2.4.44 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: robert.wilson1717@gmail.com Target Milestone: ---
When trying to authenticate to an ADLDS server using kerberos and a MIT ccache, OpenLdap only passes the hostname to the SASL mechanism, causing a mismatch between the SPN in the client "ldap/adlds.my.domain" and the one registered in AD "ldap/adlds.my.domain:50000" Is there a way fo forcing OpenLDAP to pass the port as part of the SASL request? Or is there a part of the OpenLDAP -> Cyprus-SASL -> MIT KRB5 chain where this can be enabled?
https://bugs.openldap.org/show_bug.cgi?id=9547
--- Comment #1 from Michael Ströder michael@stroeder.com --- On 5/5/21 2:39 PM, openldap-its@openldap.org wrote:
causing a mismatch between the SPN in the client "ldap/adlds.my.domain" and the one registered in AD "ldap/adlds.my.domain:50000"
I have some doubts that it's correct to add the port number to servicePrincipalName in MS AD. Did you try without?
https://bugs.openldap.org/show_bug.cgi?id=9547
--- Comment #2 from robert.wilson1717@gmail.com --- (In reply to Michael Ströder from comment #1)
On 5/5/21 2:39 PM, openldap-its@openldap.org wrote:
causing a mismatch between the SPN in the client "ldap/adlds.my.domain" and the one registered in AD "ldap/adlds.my.domain:50000"
I have some doubts that it's correct to add the port number to servicePrincipalName in MS AD. Did you try without?
Without is what OpenLDAP currently performs.
See MS Docs regarding ADLDS SPNs: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/3a6c821...
https://bugs.openldap.org/show_bug.cgi?id=9547
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |development Target Milestone|--- |2.6.0
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- Feature request, Microsoft breaking standards again, unknown impact for MIT and Heimdal based KDCs.
Patches welcome.
https://bugs.openldap.org/show_bug.cgi?id=9547
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.6.0 |2.7.0
https://bugs.openldap.org/show_bug.cgi?id=9547
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Target Milestone|2.7.0 |--- Severity|development |enhancement Resolution|--- |SUSPENDED
--- Comment #4 from Quanah Gibson-Mount quanah@openldap.org --- patches still welcome, still standard breaking by MS
https://bugs.openldap.org/show_bug.cgi?id=9547
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org