5:13 a.m.
Howard,
Thanks for the confirmation.
I read the option for SASL and I didn't find the option that I should use.
The *SASL_SECPROPS *option seems to the be one to use, but in that case it
seems like I can turn off plain text rather then turn it on. The gssapi
section does look right as well, but it does not look like I build with
HAVE_GSSAPI option. Can you please point me to the section I may be
missing?
Thanks,
Kris
On Tue, Oct 7, 2014 at 2:26 PM, Howard Chu <hyc(a)symas.com> wrote:
Kristof Takacs wrote:
> Hello,
>
You should have said you were using AD from the beginning, and saved us
all a lot of time. Your problem has nothing to do with "OpenLDAP, SASL and
TLS" and everything to do with Active Directory and its (lack of) support
for SASL and TLS.
I just came across this: "While Active Directory permits SASL binds to be
> performed on an SSL/TLS-protected connection, it does not permit the use
> of
> SASL-layer confidentiality/integrity protection mechanisms on such a
> connection." (http://msdn.microsoft.com/en-us/library/cc223507.aspx).
>
> Could this be my issue?
>
Obviously yes.
Is there a way to turn off the SASL-layer
> confidentiality/integrity protection mechanisms when I use openLDAP?
>
Read the ldap.conf(5) manpage.
>
> Thanks,
> Kris
>
> On Tue, Oct 7, 2014 at 12:11 PM, Kristof Takacs <kristof.takacs(a)gmail.com
> <mailto:kristof.takacs@gmail.com>> wrote:
>
> Thanks for letting me know that it's an ok use case.
>
> The back end is AD, but it is a "black box" to me. I have access,
> but the
> event viewer is empty. It does work if I use Kerberos only or TLS
> with
> simple bind through. Is there anything you can suggest that I can do
> on
> the server side to show me what it may be complaining about?
>
> Thanks for your help!
> Kris
>
> On Tue, Oct 7, 2014 at 10:31 AM, Howard Chu <hyc(a)symas.com
> <mailto:hyc@symas.com>> wrote:
>
> Kristof Takacs wrote:
>
> Is the usecase of SASL authentication with Kerberos to the
> LDAP
> server and TLS
> to the LDAP server for all other communication a valid one?
>
>
> Certainly it is valid, and has worked in the past. Just keep in
> mind
> that what you've described here is SASL/GSSAPI + TLS on the same
> session. Not all LDAP servers support that, M$ AD is known to have
> failed on that in the past. It has been tested to work fine in
> OpenLDAP before.
>
> I have not personally tested with the version of Cyrus SASL and
> Heimdal Kerberos you mentioned, so no comment on the current
> state of
> things.
>
>
> Thanks,
> Kris
>
>
>
> On Mon, Oct 6, 2014 at 2:27 PM, Dan White <dwhite(a)olp.net
> <mailto:dwhite@olp.net>
> <mailto:dwhite@olp.net <mailto:dwhite@olp.net>>> wrote:
>
> On 10/06/14 13:24 -0500, Dan White wrote:
>
> There is a known bug in Cyrus SASL which triggers
> this
> problem:
>
> https://bugzilla.cyrusimap.____org/show_bug.cgi?id=3480
> <https://bugzilla.cyrusimap.__
> org/show_bug.cgi?id=3480
> <https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480>>
>
> If adding "-O maxssf=0" to your ldapsearch command,
> when
> using both
> Kerberos and TLS, works then that's likely the
> culprit.
>
>
> Apparently I can't read my own bug reports. This may or
> may
> not be your
> issue.
>
> --
> Dan White
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/