I am trying to do OpenLDAP integration with Microsoft AD/LDAP. For some initial troublehooting purpose, I am looking for using ldapsearch command with SASL bind (DIGEST-MD5).
Can anyone give me the exact syntax for how to use ldapsearch command with SASL bind for active directory ? Appreciate your help. I have been trying out whats there over the web but no luck yet.
Thanks.
radiatejava wrote:
I am trying to do OpenLDAP integration with Microsoft AD/LDAP. For some initial troublehooting purpose, I am looking for using ldapsearch command with SASL bind (DIGEST-MD5).
Can anyone give me the exact syntax for how to use ldapsearch command with SASL bind for active directory ? Appreciate your help. I have been trying out whats there over the web but no luck yet.
I seem to recall that MSAD only supports SASL/GSSAPI. Haven't looked in quite a long time though.
Howard Chu wrote:
radiatejava wrote:
I am trying to do OpenLDAP integration with Microsoft AD/LDAP. For some initial troublehooting purpose, I am looking for using ldapsearch command with SASL bind (DIGEST-MD5).
Can anyone give me the exact syntax for how to use ldapsearch command with SASL bind for active directory ? Appreciate your help. I have been trying out whats there over the web but no luck yet.
I seem to recall that MSAD only supports SASL/GSSAPI.
Not true. I used DIGEST-MD5 in a customer project a lot. In really old MS AD (2000?) you had to turn on a specific option in the user entry to make it work. But that's ancient history.
@radiatejava: Test with command-line option "-Y DIGEST-MD5".
Beware that there's a bug with non-ASCII chars in the user name. The MS AD versions I've tested always assumed the user name to be in ISO-8859-1 although sniffing the SASL traffic read like UTF-8 charset option. Maybe this also depended on the localization version.
Ciao, Michael.
Thanks Michael for the response. Would you mind sharing the exact syntax (I am having Win 2008 server) and getting these errors:
ldapsearch -H ldap://10.77.125.83 -s sub -b "dc=agentdev,dc=com" -D sburnwal@agentdev.com -Y DIGEST-MD5 "(cn=iqsyed)" SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: 80090303: LdapErr: DSID-0C0904BE, comment: The digest-uri does not match any LDAP SPN's registered for this server., data 0, v1db1
ldapsearch -h 10.77.125.83 -p 389 -D "CN=sburnwal,CN=Users,DC=agentdev,DC=com" -W -s sub -b "dc=agentdev,dc=com" -Y DIGEST-MD5 "(cn=iqsyed)" Enter LDAP Password: SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: 80090303: LdapErr: DSID-0C0904BE, comment: The digest-uri does not match any LDAP SPN's registered for this server., data 0, v1db1
Thanks.
radiatejava wrote:
Thanks Michael for the response. Would you mind sharing the exact syntax (I am having Win 2008 server) and getting these errors:
ldapsearch -H ldap://10.77.125.83 -s sub -b "dc=agentdev,dc=com" -D sburnwal@agentdev.com -Y DIGEST-MD5 "(cn=iqsyed)" SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: 80090303: LdapErr: DSID-0C0904BE, comment: The digest-uri does not match any LDAP SPN's registered for this server., data 0, v1db1
ldapsearch -h 10.77.125.83 -p 389 -D "CN=sburnwal,CN=Users,DC=agentdev,DC=com" -W -s sub -b "dc=agentdev,dc=com" -Y DIGEST-MD5 "(cn=iqsyed)" Enter LDAP Password: SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: 80090303: LdapErr: DSID-0C0904BE, comment: The digest-uri does not match any LDAP SPN's registered for this server., data 0, v1db1
The option -D is for LDAP simple bind only. Use -X <authzid> as noted in the man-page for ldapsearch. Use the value in attribute SAM-Account-Name (LDAP attribute name 'sAMAccountName') for <authzid>.
Ciao, Michael.
On Fri, 26 Jul 2013 09:27:29 +0200 Michael Ströder michael@stroeder.com wrote
radiatejava wrote:
Thanks Michael for the response. Would you mind sharing the exact syntax (I am having Win 2008 server) and getting these errors:
ldapsearch -H ldap://10.77.125.83 -s sub -b "dc=agentdev,dc=com" -D sburnwal@agentdev.com -Y DIGEST-MD5 "(cn=iqsyed)" SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: 80090303: LdapErr: DSID-0C0904BE, comment: The digest-uri does not match any LDAP SPN's registered for this server., data 0, v1db1
ldapsearch -h 10.77.125.83 -p 389 -D "CN=sburnwal,CN=Users,DC=agentdev,DC=com" -W -s sub -b "dc=agentdev,dc=com" -Y DIGEST-MD5 "(cn=iqsyed)" Enter LDAP Password: SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: 80090303: LdapErr: DSID-0C0904BE, comment: The digest-uri does not match any LDAP SPN's registered for this server., data 0, v1db1
The option -D is for LDAP simple bind only. Use -X <authzid> as noted in the man-page for ldapsearch. Use the value in attribute SAM-Account-Name (LDAP attribute name 'sAMAccountName') for <authzid>.
Sorry, -X was wrong. You have to use -U <SAM-Account-Name>
Ciao, Michael.
openldap-technical@openldap.org
-
Howard Chu -
Michael Ströder -
radiatejava