11:03 a.m.
I use the following version:
- OpenLDAP (2.4.35), but I have tried 2.4.39 as well
- Cyrus SASL (2.1.26)
- OpenSSL (1.0.1h)
- Heimdal ( I beleive 1.5.2)
Thanks,
Kris
On Mon, Oct 6, 2014 at 1:30 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>
wrote:
--On Monday, October 06, 2014 2:27 PM -0400 Kristof Takacs <
kristof.takacs(a)gmail.com> wrote:
I use the following open source libraries:
> - OpenLDAP
> - Cyrus SASL
> - OpenSSL
> - Heimdal
>
It is always critical to list the versions of software you are using.
Please do so.
--Quanah
--
Quanah Gibson-Mount
Server Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
11:24 a.m.
New subject: OpenLDAP, SASL and TLS
On 10/06/14 13:27 -0400, Kristof Takacs wrote:
I am having issues when I have Kerberos bind and TLS turned on.
On 10/06/14 14:03 -0400, Kristof Takacs wrote:
I use the following version:
- OpenLDAP (2.4.35), but I have tried 2.4.39 as well
- Cyrus SASL (2.1.26)
- OpenSSL (1.0.1h)
- Heimdal ( I beleive 1.5.2)
There is a known bug in Cyrus SASL which triggers this problem:
https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
If adding "-O maxssf=0" to your ldapsearch command, when using both
Kerberos and TLS, works then that's likely the culprit.
--
Dan White
11:27 a.m.
New subject: OpenLDAP, SASL and TLS
On 10/06/14 13:24 -0500, Dan White wrote:
There is a known bug in Cyrus SASL which triggers this problem:
https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
If adding "-O maxssf=0" to your ldapsearch command, when using both
Kerberos and TLS, works then that's likely the culprit.
Apparently I can't read my own bug reports. This may or may not be your
issue.
--
Dan White
6:27 a.m.
New subject: OpenLDAP, SASL and TLS
Dan,
Thanks for the quick response.
I tried your suggestion like this:
//GSSAPI and TLS fails to AD. This was a suggestion for the
workaround:
//https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
sasl_ssf_t max_ssf = 0;
ldrc = ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MAX, &max_ssf);
if (ldrc != LDAP_SUCCESS) {
logError("ldap_set_option() for LDAP_OPT_X_SASL_SSF_MAX
failure: ldrc = %d", ldrc);
return;
}
But with that change I can't bind any longer, I get a "Local error(-2)"
I get the same for Kerberos with no TLS with this setting.
Is the usecase of SASL authentication with Kerberos to the LDAP server and
TLS to the LDAP server for all other communication a valid one?
Thanks,
Kris
On Mon, Oct 6, 2014 at 2:27 PM, Dan White <dwhite(a)olp.net> wrote:
On 10/06/14 13:24 -0500, Dan White wrote:
> There is a known bug in Cyrus SASL which triggers this problem:
>
> https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
>
> If adding "-O maxssf=0" to your ldapsearch command, when using both
> Kerberos and TLS, works then that's likely the culprit.
>
Apparently I can't read my own bug reports. This may or may not be your
issue.
--
Dan White
7:31 a.m.
New subject: OpenLDAP, SASL and TLS
Kristof Takacs wrote:
Is the usecase of SASL authentication with Kerberos to the LDAP
server and TLS
to the LDAP server for all other communication a valid one?
Certainly it is valid, and has worked in the past. Just keep in mind that what
you've described here is SASL/GSSAPI + TLS on the same session. Not all LDAP
servers support that, M$ AD is known to have failed on that in the past. It
has been tested to work fine in OpenLDAP before.
I have not personally tested with the version of Cyrus SASL and Heimdal
Kerberos you mentioned, so no comment on the current state of things.
Thanks,
Kris
On Mon, Oct 6, 2014 at 2:27 PM, Dan White <dwhite(a)olp.net
<mailto:dwhite@olp.net>> wrote:
On 10/06/14 13:24 -0500, Dan White wrote:
There is a known bug in Cyrus SASL which triggers this problem:
https://bugzilla.cyrusimap.__org/show_bug.cgi?id=3480
<https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480>
If adding "-O maxssf=0" to your ldapsearch command, when using both
Kerberos and TLS, works then that's likely the culprit.
Apparently I can't read my own bug reports. This may or may not be your
issue.
--
Dan White
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
9:11 a.m.
New subject: OpenLDAP, SASL and TLS
Thanks for letting me know that it's an ok use case.
The back end is AD, but it is a "black box" to me. I have access, but the
event viewer is empty. It does work if I use Kerberos only or TLS with
simple bind through. Is there anything you can suggest that I can do on
the server side to show me what it may be complaining about?
Thanks for your help!
Kris
On Tue, Oct 7, 2014 at 10:31 AM, Howard Chu <hyc(a)symas.com> wrote:
Kristof Takacs wrote:
> Is the usecase of SASL authentication with Kerberos to the LDAP server
> and TLS
> to the LDAP server for all other communication a valid one?
>
Certainly it is valid, and has worked in the past. Just keep in mind that
what you've described here is SASL/GSSAPI + TLS on the same session. Not
all LDAP servers support that, M$ AD is known to have failed on that in the
past. It has been tested to work fine in OpenLDAP before.
I have not personally tested with the version of Cyrus SASL and Heimdal
Kerberos you mentioned, so no comment on the current state of things.
>
> Thanks,
> Kris
>
>
>
> On Mon, Oct 6, 2014 at 2:27 PM, Dan White <dwhite(a)olp.net
> <mailto:dwhite@olp.net>> wrote:
>
> On 10/06/14 13:24 -0500, Dan White wrote:
>
> There is a known bug in Cyrus SASL which triggers this problem:
>
> https://bugzilla.cyrusimap.__org/show_bug.cgi?id=3480
> <https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480>
>
> If adding "-O maxssf=0" to your ldapsearch command, when using
> both
> Kerberos and TLS, works then that's likely the culprit.
>
>
> Apparently I can't read my own bug reports. This may or may not be
> your
> issue.
>
> --
> Dan White
>
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
9:55 a.m.
New subject: OpenLDAP, SASL and TLS
Hello,
I just came across this: "While Active Directory permits SASL binds to be
performed on an SSL/TLS-protected connection, it does not permit the use of
SASL-layer confidentiality/integrity protection mechanisms on such a
connection." (http://msdn.microsoft.com/en-us/library/cc223507.aspx).
Could this be my issue? Is there a way to turn off the SASL-layer
confidentiality/integrity
protection mechanisms when I use openLDAP?
Thanks,
Kris
On Tue, Oct 7, 2014 at 12:11 PM, Kristof Takacs <kristof.takacs(a)gmail.com>
wrote:
Thanks for letting me know that it's an ok use case.
The back end is AD, but it is a "black box" to me. I have access, but the
event viewer is empty. It does work if I use Kerberos only or TLS with
simple bind through. Is there anything you can suggest that I can do on
the server side to show me what it may be complaining about?
Thanks for your help!
Kris
On Tue, Oct 7, 2014 at 10:31 AM, Howard Chu <hyc(a)symas.com> wrote:
> Kristof Takacs wrote:
>
>> Is the usecase of SASL authentication with Kerberos to the LDAP server
>> and TLS
>> to the LDAP server for all other communication a valid one?
>>
>
> Certainly it is valid, and has worked in the past. Just keep in mind that
> what you've described here is SASL/GSSAPI + TLS on the same session. Not
> all LDAP servers support that, M$ AD is known to have failed on that in the
> past. It has been tested to work fine in OpenLDAP before.
>
> I have not personally tested with the version of Cyrus SASL and Heimdal
> Kerberos you mentioned, so no comment on the current state of things.
>
>>
>> Thanks,
>> Kris
>>
>>
>>
>> On Mon, Oct 6, 2014 at 2:27 PM, Dan White <dwhite(a)olp.net
>> <mailto:dwhite@olp.net>> wrote:
>>
>> On 10/06/14 13:24 -0500, Dan White wrote:
>>
>> There is a known bug in Cyrus SASL which triggers this problem:
>>
>> https://bugzilla.cyrusimap.__org/show_bug.cgi?id=3480
>> <https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480>
>>
>> If adding "-O maxssf=0" to your ldapsearch command, when using
>> both
>> Kerberos and TLS, works then that's likely the culprit.
>>
>>
>> Apparently I can't read my own bug reports. This may or may not be
>> your
>> issue.
>>
>> --
>> Dan White
>>
>>
>>
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/
>
11:26 a.m.
New subject: OpenLDAP, SASL and TLS
Kristof Takacs wrote:
Hello,
You should have said you were using AD from the beginning, and saved us all a
lot of time. Your problem has nothing to do with "OpenLDAP, SASL and TLS" and
everything to do with Active Directory and its (lack of) support for SASL and TLS.
I just came across this: "While Active Directory permits SASL
binds to be
performed on an SSL/TLS-protected connection, it does not permit the use of
SASL-layer confidentiality/integrity protection mechanisms on such a
connection." (http://msdn.microsoft.com/en-us/library/cc223507.aspx).
Could this be my issue?
Obviously yes.
Is there a way to turn off the SASL-layer
confidentiality/integrity protection mechanisms when I use openLDAP?
Read the ldap.conf(5) manpage.
Thanks,
Kris
On Tue, Oct 7, 2014 at 12:11 PM, Kristof Takacs <kristof.takacs(a)gmail.com
<mailto:kristof.takacs@gmail.com>> wrote:
Thanks for letting me know that it's an ok use case.
The back end is AD, but it is a "black box" to me. I have access, but the
event viewer is empty. It does work if I use Kerberos only or TLS with
simple bind through. Is there anything you can suggest that I can do on
the server side to show me what it may be complaining about?
Thanks for your help!
Kris
On Tue, Oct 7, 2014 at 10:31 AM, Howard Chu <hyc(a)symas.com
<mailto:hyc@symas.com>> wrote:
Kristof Takacs wrote:
Is the usecase of SASL authentication with Kerberos to the LDAP
server and TLS
to the LDAP server for all other communication a valid one?
Certainly it is valid, and has worked in the past. Just keep in mind
that what you've described here is SASL/GSSAPI + TLS on the same
session. Not all LDAP servers support that, M$ AD is known to have
failed on that in the past. It has been tested to work fine in
OpenLDAP before.
I have not personally tested with the version of Cyrus SASL and
Heimdal Kerberos you mentioned, so no comment on the current state of
things.
Thanks,
Kris
On Mon, Oct 6, 2014 at 2:27 PM, Dan White <dwhite(a)olp.net
<mailto:dwhite@olp.net>
<mailto:dwhite@olp.net <mailto:dwhite@olp.net>>> wrote:
On 10/06/14 13:24 -0500, Dan White wrote:
There is a known bug in Cyrus SASL which triggers this
problem:
https://bugzilla.cyrusimap.____org/show_bug.cgi?id=3480
<https://bugzilla.cyrusimap.__org/show_bug.cgi?id=3480
<https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480>>
If adding "-O maxssf=0" to your ldapsearch command, when
using both
Kerberos and TLS, works then that's likely the culprit.
Apparently I can't read my own bug reports. This may or may
not be your
issue.
--
Dan White
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
5:13 a.m.
New subject: OpenLDAP, SASL and TLS
Howard,
Thanks for the confirmation.
I read the option for SASL and I didn't find the option that I should use.
The *SASL_SECPROPS *option seems to the be one to use, but in that case it
seems like I can turn off plain text rather then turn it on. The gssapi
section does look right as well, but it does not look like I build with
HAVE_GSSAPI option. Can you please point me to the section I may be
missing?
Thanks,
Kris
On Tue, Oct 7, 2014 at 2:26 PM, Howard Chu <hyc(a)symas.com> wrote:
Kristof Takacs wrote:
> Hello,
>
You should have said you were using AD from the beginning, and saved us
all a lot of time. Your problem has nothing to do with "OpenLDAP, SASL and
TLS" and everything to do with Active Directory and its (lack of) support
for SASL and TLS.
I just came across this: "While Active Directory permits SASL binds to be
> performed on an SSL/TLS-protected connection, it does not permit the use
> of
> SASL-layer confidentiality/integrity protection mechanisms on such a
> connection." (http://msdn.microsoft.com/en-us/library/cc223507.aspx).
>
> Could this be my issue?
>
Obviously yes.
Is there a way to turn off the SASL-layer
> confidentiality/integrity protection mechanisms when I use openLDAP?
>
Read the ldap.conf(5) manpage.
>
> Thanks,
> Kris
>
> On Tue, Oct 7, 2014 at 12:11 PM, Kristof Takacs <kristof.takacs(a)gmail.com
> <mailto:kristof.takacs@gmail.com>> wrote:
>
> Thanks for letting me know that it's an ok use case.
>
> The back end is AD, but it is a "black box" to me. I have access,
> but the
> event viewer is empty. It does work if I use Kerberos only or TLS
> with
> simple bind through. Is there anything you can suggest that I can do
> on
> the server side to show me what it may be complaining about?
>
> Thanks for your help!
> Kris
>
> On Tue, Oct 7, 2014 at 10:31 AM, Howard Chu <hyc(a)symas.com
> <mailto:hyc@symas.com>> wrote:
>
> Kristof Takacs wrote:
>
> Is the usecase of SASL authentication with Kerberos to the
> LDAP
> server and TLS
> to the LDAP server for all other communication a valid one?
>
>
> Certainly it is valid, and has worked in the past. Just keep in
> mind
> that what you've described here is SASL/GSSAPI + TLS on the same
> session. Not all LDAP servers support that, M$ AD is known to have
> failed on that in the past. It has been tested to work fine in
> OpenLDAP before.
>
> I have not personally tested with the version of Cyrus SASL and
> Heimdal Kerberos you mentioned, so no comment on the current
> state of
> things.
>
>
> Thanks,
> Kris
>
>
>
> On Mon, Oct 6, 2014 at 2:27 PM, Dan White <dwhite(a)olp.net
> <mailto:dwhite@olp.net>
> <mailto:dwhite@olp.net <mailto:dwhite@olp.net>>> wrote:
>
> On 10/06/14 13:24 -0500, Dan White wrote:
>
> There is a known bug in Cyrus SASL which triggers
> this
> problem:
>
> https://bugzilla.cyrusimap.____org/show_bug.cgi?id=3480
> <https://bugzilla.cyrusimap.__
> org/show_bug.cgi?id=3480
> <https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480>>
>
> If adding "-O maxssf=0" to your ldapsearch command,
> when
> using both
> Kerberos and TLS, works then that's likely the
> culprit.
>
>
> Apparently I can't read my own bug reports. This may or
> may
> not be your
> issue.
>
> --
> Dan White
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
3277
days inactive
3279
days old
openldap-technical@openldap.org
8 comments
3 participants
participants (3)
-
Dan White -
Howard Chu -
Kristof Takacs