Howard,

Thanks for the confirmation.

I read the option for SASL and I didn't find the option that I should use.  The SASL_SECPROPS option seems to the be one to use, but in that case it seems like I can turn off plain text rather then turn it on.  The gssapi section does look right as well, but it does not look like I build with HAVE_GSSAPI option.  Can you please point me to the section I may be missing?  

Thanks,
Kris

On Tue, Oct 7, 2014 at 2:26 PM, Howard Chu <hyc@symas.com> wrote:
Kristof Takacs wrote:
Hello,

You should have said you were using AD from the beginning, and saved us all a lot of time. Your problem has nothing to do with "OpenLDAP, SASL and TLS" and everything to do with Active Directory and its (lack of) support for SASL and TLS.

I just came across this: "While Active Directory permits SASL binds to be
performed on an SSL/TLS-protected connection, it does not permit the use of
SASL-layer confidentiality/integrity protection mechanisms on such a
connection." (http://msdn.microsoft.com/en-us/library/cc223507.aspx).

Could this be my issue?

Obviously yes.

Is there a way to turn off the SASL-layer
confidentiality/integrity protection mechanisms when I use openLDAP?

Read the ldap.conf(5) manpage.

Thanks,
Kris

On Tue, Oct 7, 2014 at 12:11 PM, Kristof Takacs <kristof.takacs@gmail.com
<mailto:kristof.takacs@gmail.com>> wrote:

    Thanks for letting me know that it's an ok use case.

    The back end is AD, but it is a "black box" to me.  I have access, but the
    event viewer is empty.  It does work if I use Kerberos only or TLS with
    simple bind through.  Is there anything you can suggest that I can do on
    the server side to show me what it may be complaining about?

    Thanks for your help!
    Kris

    On Tue, Oct 7, 2014 at 10:31 AM, Howard Chu <hyc@symas.com
    <mailto:hyc@symas.com>> wrote:

        Kristof Takacs wrote:

            Is the usecase of SASL authentication with Kerberos to the LDAP
            server and TLS
            to the LDAP server for all other communication a valid one?


        Certainly it is valid, and has worked in the past. Just keep in mind
        that what you've described here is SASL/GSSAPI + TLS on the same
        session. Not all LDAP servers support that, M$ AD is known to have
        failed on that in the past. It has been tested to work fine in
        OpenLDAP before.

        I have not personally tested with the version of Cyrus SASL and
        Heimdal Kerberos you mentioned, so no comment on the current state of
        things.


            Thanks,
            Kris



            On Mon, Oct 6, 2014 at 2:27 PM, Dan White <dwhite@olp.net
            <mailto:dwhite@olp.net>
            <mailto:dwhite@olp.net <mailto:dwhite@olp.net>>> wrote:

                 On 10/06/14 13:24 -0500, Dan White wrote:

                     There is a known bug in Cyrus SASL which triggers this
            problem:

            https://bugzilla.cyrusimap.____org/show_bug.cgi?id=3480
                     <https://bugzilla.cyrusimap.__org/show_bug.cgi?id=3480
            <https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480>>

                     If adding "-O maxssf=0" to your ldapsearch command, when
            using both
                     Kerberos and TLS, works then that's likely the culprit.


                 Apparently I can't read my own bug reports. This may or may
            not be your
                 issue.

                 --
                 Dan White


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/