-----Original Message----- From: openldap-technical-bounces+qiang.xu=fujixerox.com@OpenLDAP.org
[mailto:openldap-technical-bounces+qiang.xu=fujixerox.com@Open LDAP.org] On Behalf Of Xu, Qiang (FXSGSC) Sent: Monday, October 19, 2009 10:35 AM To: openldap-technical@openldap.org Subject: sasl binding with ssl encryption
Hi, all:
My LDAP SASL binding is successful, but when I want to channel the traffic over SSL, it fails: ===================================================================== qxu@durian(pts/0):/etc[201]$ kinit XCTEST100@XCIPV6.COM Password for XCTEST100@XCIPV6.COM: ... qxu@durian(pts/0):/etc[203]$ klist Ticket cache: FILE:/tmp/krb5cc_20153 Default principal: XCTEST100@XCIPV6.COM
Valid starting Expires Service principal 10/19/09 10:31:28 10/19/09 20:28:25 krbtgt/XCIPV6.COM@XCIPV6.COM renew until 10/20/09 10:31:28 ... qxu@durian(pts/0):/etc[204]$ ldapsearch -Y GSSAPI -H ldap://13.198.97.42:389 -b dc=xcipv6,dc=com -s sub -LLL cn=XCTEST100 mail SASL/GSSAPI authentication started SASL username: XCTEST100@XCIPV6.COM SASL SSF: 56 SASL installing layers dn: CN=XCTEST100,CN=Users,DC=XCIPV6,DC=COM mail: XCTEST100@xcipv6.com
# refldap://ForestDnsZones.XCIPV6.COM/DC=ForestDnsZones,DC=XCIPV6,DC=COM
# refldap://DomainDnsZones.XCIPV6.COM/DC=DomainDnsZones,DC=XCIPV6,DC=COM
# refldap://XCIPV6.COM/CN=Configuration,DC=XCIPV6,DC=COM ... qxu@durian(pts/0):/etc[205]$ ldapsearch -Y GSSAPI -H ldaps://13.198.97.42:636 -b dc=xcipv6,dc=com -s sub -LLL cn=XCTEST100 mail SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) additional info: 00002029: LdapErr: DSID-0C09048A, comment: Cannot bind using sign/seal on a connection on which TLS or SSL is in effect, data 0, v1771 ... qxu@durian(pts/0):/etc[206]$ ldapsearch -Y GSSAPI -O maxssf=0 -H ldaps://13.198.97.42:636 -b dc=xcipv6,dc=com -s sub -LLL cn=XCTEST100 mail SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) additional info: 00002029: LdapErr: DSID-0C09048A, comment: Cannot bind using sign/seal on a connection on which TLS or SSL is in effect, data 0, v1771 ===================================================================== Someone has mentioned that in order to do sasl binding over ssl, the security property " -O maxssf=0" must be set. However, this still fails.
Just want to let you guys know that the failure is due to a defect of Win2008 server: http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/44b0ee8... http://support.microsoft.com/kb/957072
After the hotfix is applied, the search is successful: ===================================================================== qxu@durian(pts/0):/etc[243]$ ldapsearch -Y GSSAPI -H ldaps://13.198.97.42:636 -b dc=xcipv6,dc=com -s sub -LLL cn=XCTEST100 mail SASL/GSSAPI authentication started SASL username: XCTEST100@XCIPV6.COM SASL SSF: 56 SASL installing layers ldap_result: Can't contact LDAP server (-1) ... qxu@durian(pts/0):/etc[244]$ ldapsearch -Y GSSAPI -O maxssf=0 -H ldaps://13.198.97.42:636 -b dc=xcipv6,dc=com -s sub -LLL cn=XCTEST100 mail SASL/GSSAPI authentication started SASL username: XCTEST100@XCIPV6.COM SASL SSF: 0 dn: CN=XCTEST100,CN=Users,DC=XCIPV6,DC=COM mail: XCTEST100@xcipv6.com
# refldaps://ForestDnsZones.XCIPV6.COM/DC=ForestDnsZones,DC=XCIPV6,DC=COM
# refldaps://DomainDnsZones.XCIPV6.COM/DC=DomainDnsZones,DC=XCIPV6,DC=COM
# refldaps://XCIPV6.COM/CN=Configuration,DC=XCIPV6,DC=COM ===================================================================== Still, when maxssf is not set to 0, the error msg is quite confusing. In case of Win2003 Server, the error msg is "Inappropriate authentication (48)", which is much more suggestive.
Regards, Xu Qiang