Hi, all:
My LDAP SASL binding is successful, but when I want to channel the traffic over SSL, it fails: ===================================================================== qxu@durian(pts/0):/etc[201]$ kinit XCTEST100@XCIPV6.COM Password for XCTEST100@XCIPV6.COM: ... qxu@durian(pts/0):/etc[203]$ klist Ticket cache: FILE:/tmp/krb5cc_20153 Default principal: XCTEST100@XCIPV6.COM
Valid starting Expires Service principal 10/19/09 10:31:28 10/19/09 20:28:25 krbtgt/XCIPV6.COM@XCIPV6.COM renew until 10/20/09 10:31:28 ... qxu@durian(pts/0):/etc[204]$ ldapsearch -Y GSSAPI -H ldap://13.198.97.42:389 -b dc=xcipv6,dc=com -s sub -LLL cn=XCTEST100 mail SASL/GSSAPI authentication started SASL username: XCTEST100@XCIPV6.COM SASL SSF: 56 SASL installing layers dn: CN=XCTEST100,CN=Users,DC=XCIPV6,DC=COM mail: XCTEST100@xcipv6.com
# refldap://ForestDnsZones.XCIPV6.COM/DC=ForestDnsZones,DC=XCIPV6,DC=COM
# refldap://DomainDnsZones.XCIPV6.COM/DC=DomainDnsZones,DC=XCIPV6,DC=COM
# refldap://XCIPV6.COM/CN=Configuration,DC=XCIPV6,DC=COM ... qxu@durian(pts/0):/etc[205]$ ldapsearch -Y GSSAPI -H ldaps://13.198.97.42:636 -b dc=xcipv6,dc=com -s sub -LLL cn=XCTEST100 mail SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) additional info: 00002029: LdapErr: DSID-0C09048A, comment: Cannot bind using sign/seal on a connection on which TLS or SSL is in effect, data 0, v1771 ... qxu@durian(pts/0):/etc[206]$ ldapsearch -Y GSSAPI -O maxssf=0 -H ldaps://13.198.97.42:636 -b dc=xcipv6,dc=com -s sub -LLL cn=XCTEST100 mail SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) additional info: 00002029: LdapErr: DSID-0C09048A, comment: Cannot bind using sign/seal on a connection on which TLS or SSL is in effect, data 0, v1771 ===================================================================== Someone has mentioned that in order to do sasl binding over ssl, the security property " -O maxssf=0" must be set. However, this still fails.
Any suggestions?
Thanks, Xu Qiang