I just came across this: "While Active Directory permits SASL binds to be
performed on an SSL/TLS-protected connection, it does not permit the use of
SASL-layer confidentiality/integrity protection mechanisms on such a
Could this be my issue? Is there a way to turn off the SASL-layer
protection mechanisms when I use openLDAP?
On Tue, Oct 7, 2014 at 12:11 PM, Kristof Takacs <kristof.takacs(a)gmail.com>
Thanks for letting me know that it's an ok use case.
The back end is AD, but it is a "black box" to me. I have access, but the
event viewer is empty. It does work if I use Kerberos only or TLS with
simple bind through. Is there anything you can suggest that I can do on
the server side to show me what it may be complaining about?
Thanks for your help!
On Tue, Oct 7, 2014 at 10:31 AM, Howard Chu <hyc(a)symas.com> wrote:
> Kristof Takacs wrote:
>> Is the usecase of SASL authentication with Kerberos to the LDAP server
>> and TLS
>> to the LDAP server for all other communication a valid one?
> Certainly it is valid, and has worked in the past. Just keep in mind that
> what you've described here is SASL/GSSAPI + TLS on the same session. Not
> all LDAP servers support that, M$ AD is known to have failed on that in the
> past. It has been tested to work fine in OpenLDAP before.
> I have not personally tested with the version of Cyrus SASL and Heimdal
> Kerberos you mentioned, so no comment on the current state of things.
>> On Mon, Oct 6, 2014 at 2:27 PM, Dan White <dwhite(a)olp.net
>> <mailto:firstname.lastname@example.org>> wrote:
>> On 10/06/14 13:24 -0500, Dan White wrote:
>> There is a known bug in Cyrus SASL which triggers this problem:
>> If adding "-O maxssf=0" to your ldapsearch command, when using
>> Kerberos and TLS, works then that's likely the culprit.
>> Apparently I can't read my own bug reports. This may or may not be
>> Dan White
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/