Thanks for the confirmation.

I read the option for SASL and I didn't find the option that I should use.  The SASL_SECPROPS option seems to the be one to use, but in that case it seems like I can turn off plain text rather then turn it on.  The gssapi section does look right as well, but it does not look like I build with HAVE_GSSAPI option.  Can you please point me to the section I may be missing?  


On Tue, Oct 7, 2014 at 2:26 PM, Howard Chu <> wrote:
Kristof Takacs wrote:

You should have said you were using AD from the beginning, and saved us all a lot of time. Your problem has nothing to do with "OpenLDAP, SASL and TLS" and everything to do with Active Directory and its (lack of) support for SASL and TLS.

I just came across this: "While Active Directory permits SASL binds to be
performed on an SSL/TLS-protected connection, it does not permit the use of
SASL-layer confidentiality/integrity protection mechanisms on such a
connection." (

Could this be my issue?

Obviously yes.

Is there a way to turn off the SASL-layer
confidentiality/integrity protection mechanisms when I use openLDAP?

Read the ldap.conf(5) manpage.


On Tue, Oct 7, 2014 at 12:11 PM, Kristof Takacs <
<>> wrote:

    Thanks for letting me know that it's an ok use case.

    The back end is AD, but it is a "black box" to me.  I have access, but the
    event viewer is empty.  It does work if I use Kerberos only or TLS with
    simple bind through.  Is there anything you can suggest that I can do on
    the server side to show me what it may be complaining about?

    Thanks for your help!

    On Tue, Oct 7, 2014 at 10:31 AM, Howard Chu <
    <>> wrote:

        Kristof Takacs wrote:

            Is the usecase of SASL authentication with Kerberos to the LDAP
            server and TLS
            to the LDAP server for all other communication a valid one?

        Certainly it is valid, and has worked in the past. Just keep in mind
        that what you've described here is SASL/GSSAPI + TLS on the same
        session. Not all LDAP servers support that, M$ AD is known to have
        failed on that in the past. It has been tested to work fine in
        OpenLDAP before.

        I have not personally tested with the version of Cyrus SASL and
        Heimdal Kerberos you mentioned, so no comment on the current state of


            On Mon, Oct 6, 2014 at 2:27 PM, Dan White <
            < <>>> wrote:

                 On 10/06/14 13:24 -0500, Dan White wrote:

                     There is a known bug in Cyrus SASL which triggers this


                     If adding "-O maxssf=0" to your ldapsearch command, when
            using both
                     Kerberos and TLS, works then that's likely the culprit.

                 Apparently I can't read my own bug reports. This may or may
            not be your

                 Dan White

  -- Howard Chu
  CTO, Symas Corp. 
  Director, Highland Sun
  Chief Architect, OpenLDAP