I'm using openldap, cyrus-sasl, heimdal, and openssl.
I use the standard kerberos "kinit" tool to get my TGT, this is successful. I use the standard openldap "ldapsearch" tool to attempt to do a LDAP+GSSAPI over TLS (cert level "demand") search, and I get two errors.
The first error is an "inappropriate auth", which seems to come from openldap. The second error is "Cannot start kerberos signing/sealing when using TLS/SSL", which seems to come from GSSAPI-land.
Interesting facts:
- This fails against Windows 2003 AD. - But succeeds against a BSD box running an openldap server.
- The following all had the cert level set to "demand"... - - LDAP works with the Win2003 AD. - - LDAP+SSL works with the Win2003 AD. - - LDAP+TLS works with the Win2003 AD. - - LDAP+GSSAPI works with the Win2003 AD. - - LDAP+GSSAPI+SSL works with the Win2003 AD. - - But LDAP+GSSAPI+TLS does NOT work with the Win2003 AD.
- If I switch the cert level to "allow", then LDAP+GSSAPI+TLS works with Win2003 AD.
It seems everything is ok with my kerberos setup, since LDAP+GSSAPI works. It seems everything is ok with my certs, since LDAP+SSL and LDAP+TLS and LDAP+GSSAPI+SSL works.
I'm at a loss as to why this particular case: LDAP+GSSAPI+TLS (cert level "demand") against Windows 2003 AD doesn't work.
I tried looking through the openldap, cyrus-sasl, heimdal, and openssl code for "Cannot start kerberos signing/sealing when using TLS/SSL" but I didn't find anything. My guess is that this comes from the server.
The only thing I could find googling was from here: http://en.gentoo-wiki.com/wiki/Active_Directory_Authentication_using_LDAP that says: "GSSAPI Error: Cannot start kerberos signing/sealing when using TLS/SSL SASL/GSSAPI already encrypts the LDAP traffic, this error is trying to say TLS/SSL is redundant."
My questions: (1) Is this simply the fact that Windows 2003 AD doesn't support LDAP+GSSAPI+TLS (with cert level set to "demand")? (2) Why would the Win2003 AD server behave properly with SSL but not TLS? (3) Why does the openldap server work fine, but not the Windows 2003 AD server? (3) Has this been addressed in some newer release of openldap/cyrus-sasl/heimdal/openssl code? (4) Is there anything I could have done wrong in my Win2003 AD setup? (5) Any other general suggestions/ideas to help?
Thanks, -- - Jeremiah Martell http://inlovewithGod.com
Jeremiah Martell wrote:
I'm using openldap, cyrus-sasl, heimdal, and openssl.
And apparently they are all working correctly.
I use the standard kerberos "kinit" tool to get my TGT, this is successful. I use the standard openldap "ldapsearch" tool to attempt to do a LDAP+GSSAPI over TLS (cert level "demand") search, and I get two errors.
The first error is an "inappropriate auth", which seems to come from openldap. The second error is "Cannot start kerberos signing/sealing when using TLS/SSL", which seems to come from GSSAPI-land.
Interesting facts:
- This fails against Windows 2003 AD.
Questions about why Microsoft AD is broken belong in a Microsoft forum.
- But succeeds against a BSD box running an openldap server.
openldap-technical@openldap.org