I just came across this: "While Active Directory permits SASL binds to be performed on an SSL/TLS-protected connection, it does not permit the use of SASL-layer confidentiality/integrity protection mechanisms on such a connection." (http://msdn.microsoft.com/en-us/library/cc223507.aspx).  

Could this be my issue?  Is there a way to turn off the SASL-layer confidentiality/integrity protection mechanisms when I use openLDAP?


On Tue, Oct 7, 2014 at 12:11 PM, Kristof Takacs <kristof.takacs@gmail.com> wrote:
Thanks for letting me know that it's an ok use case.

The back end is AD, but it is a "black box" to me.  I have access, but the event viewer is empty.  It does work if I use Kerberos only or TLS with simple bind through.  Is there anything you can suggest that I can do on the server side to show me what it may be complaining about?

Thanks for your help!

On Tue, Oct 7, 2014 at 10:31 AM, Howard Chu <hyc@symas.com> wrote:
Kristof Takacs wrote:
Is the usecase of SASL authentication with Kerberos to the LDAP server and TLS
to the LDAP server for all other communication a valid one?

Certainly it is valid, and has worked in the past. Just keep in mind that what you've described here is SASL/GSSAPI + TLS on the same session. Not all LDAP servers support that, M$ AD is known to have failed on that in the past. It has been tested to work fine in OpenLDAP before.

I have not personally tested with the version of Cyrus SASL and Heimdal Kerberos you mentioned, so no comment on the current state of things.


On Mon, Oct 6, 2014 at 2:27 PM, Dan White <dwhite@olp.net
<mailto:dwhite@olp.net>> wrote:

    On 10/06/14 13:24 -0500, Dan White wrote:

        There is a known bug in Cyrus SASL which triggers this problem:


        If adding "-O maxssf=0" to your ldapsearch command, when using both
        Kerberos and TLS, works then that's likely the culprit.

    Apparently I can't read my own bug reports. This may or may not be your

    Dan White

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/