I am trying to use OpenLDAP from an embedded Linux system to authenticate (PAM LDAP) against a Windows AD server. I must use TLS to secure this, but I would rather not use SASL or Kerberos if possible.
I have been able to mock this up on a Centos system without TLS, and the PAM worked fine. When I turn on TLS, the Windows server handshakes the TLS but then has a problem with the first message. I am also working that side.
I have walked through the handshake with s_client, and the connection is happy. I am now working with ldapsearch and trying things.... The first thing I notice is that it seems to try an SASL bind. Can I stop this? I'm not sure I have SASL actually installed on this system, and I'm not sure I want it in my target.
Is this possible? from both the OpenLDAP client and/or Windows AD? Ideas on the correct alphabet soup to try this with ldapsearch would be appreciated. Thanks.
Greetings,
On Thu, Jul 7, 2011 at 4:08 PM, David Mitton david@mitton.com wrote:
I am trying to use OpenLDAP from an embedded Linux system to authenticate (PAM LDAP) against a Windows AD server. I must use TLS to secure this, but I would rather not use SASL or Kerberos if possible.
pam_ldap = http://www.padl.com/pam_ldap.html OR http://arthurdejong.org/nss-pam-ldapd/ .... you are not dealing here with OpenLDAP....
I have been able to mock this up on a Centos system without TLS, and the PAM worked fine. When I turn on TLS, the Windows server handshakes the TLS but then has a problem with the first message. I am also working that side.
I have walked through the handshake with s_client, and the connection is happy. I am now working with ldapsearch and trying things.... The first thing I notice is that it seems to try an SASL bind. Can I stop this? I'm not sure I have SASL actually installed on this system, and I'm not sure I want it in my target.
ldapsearch -x <--- does simple auth instead of sasl.
Is this possible? from both the OpenLDAP client and/or Windows AD? Ideas on the correct alphabet soup to try this with ldapsearch would be appreciated. Thanks.
Well, I have seen this done through samba, but you *should* be able to use AD's LDAP to authenticate your Linux workstation, I guess.
Sincerely,
Ildefonso Camargo
On 11-07-08 9:28 AM, Jose Ildefonso Camargo Tolosa wrote:
Greetings,
On Thu, Jul 7, 2011 at 4:08 PM, David Mitton <david@mitton.com mailto:david@mitton.com> wrote:
I am trying to use OpenLDAP from an embedded Linux system to authenticate (PAM LDAP) against a Windows AD server. I must use TLS to secure this, but I would rather not use SASL or Kerberos if possible.
pam_ldap = http://www.padl.com/pam_ldap.html OR http://arthurdejong.org/nss-pam-ldapd/ .... you are not dealing here with OpenLDAP....
I have been able to mock this up on a Centos system without TLS, and the PAM worked fine. When I turn on TLS, the Windows server handshakes the TLS but then has a problem with the first message. I am also working that side. I have walked through the handshake with s_client, and the connection is happy. I am now working with ldapsearch and trying things.... The first thing I notice is that it seems to try an SASL bind. Can I stop this? I'm not sure I have SASL actually installed on this system, and I'm not sure I want it in my target.
ldapsearch -x <--- does simple auth instead of sasl.
Is this possible? from both the OpenLDAP client and/or Windows AD? Ideas on the correct alphabet soup to try this with ldapsearch would be appreciated. Thanks.
Well, I have seen this done through samba, but you *should* be able to use AD's LDAP to authenticate your Linux workstation, I guess.
Sincerely,
Ildefonso Camargo
I have done this with freeradius+samba. it worked great and I was even able to get the *nix box joined the AD
Thanks, Daniel
openldap-technical@openldap.org