I think this would fix it
--- LDAP.pm 2008-10-27 20:05:58.000000000 +0000
+++ LDAP.pm.new 2009-11-15 21:07:49.000000000 +0000
@@ -397,6 +397,9 @@
sockname => $ldap->{net_ldap_socket}->sockname,
peername => $ldap->{net_ldap_socket}->peername,
);
+ $sasl_conn->property(
+ maxssf => 0,
+ ) if ($ldap->{scheme} eq 'ldaps'),
my $initial = $sasl_conn->client_start;
Markus
"Markus Moeller" <hua...@moeller.plus.com> wrote in message
news:hdpgn1$9i...@ger.gmane.org...
I get the following error when I use LDAPS with SASL/GSSAPI authentication
to Active Directory. The error occurs because SASL/GSSAPI tries to encrypt
the connection although SSL encryption is already used. This can be
disabled by setting the sasl security property maxssf to 0, but it seems
not to work. Do I use it wrongly or is the value not passed through ?
Thank you
Markus
The error message I get is:
00002029: LdapErr: DSID-0C09016D, comment: Cannot start kerberos
signing/sealing when using TLS/SSL, data 0, vece at ./LDAP-AD-query.pl
My perl script:
#!/usr/bin/perl
#
# Reads LDAP Attributes
#
#
use Net::LDAPS;
use Authen::SASL qw(Perl);
# use Authen::SASL;
use Authen::Krb5;
use Net::DNS;
my $user = 'mm';
# DNS details
my $ares = Net::DNS::Resolver->new;
my $nres = Net::DNS::Resolver->new;
my $rres = Net::DNS::Resolver->new;
my $aquery = $ares->query("win2003r2.home");
my $hostlist = '';
#
# Query DNS and make sanity checks to guaranty Kerberos works
#
if ($aquery) {
# loop over list of IP-addresses
foreach my $arr ($aquery->answer) {
next unless $arr->type eq "A";
my $nquery = $nres->query($arr->address);
if ($nquery) {
# Get names for IP-addresses
foreach my $nrr ($nquery->answer) {
next unless $nrr->type eq "PTR";
my $rquery = $rres->query($nrr->ptrdname);
if ($rquery) {
# Check if DNS lookup of name gives same IP-address
foreach my $rrr ($rquery->answer) {
next unless $rrr->type eq "A";
if ( $rrr->address eq $arr->address ) {
$hostlist = $hostlist." ".$nrr->ptrdname;
}
}
}
}
}
}
} else {
print("DNS query failed: $ares->errorstring \n");
exit;
}
my @hosts = split(/\s+/,$hostlist);
# ldap details
my $server = \...@hosts;
my $bind_path = 'dc=win2003r2,dc=home';
my ($mail, $samaccountname, $userprincipalname, $useraccountcontrol);
my ($ldap, $sasl, $mesg, $entry);
#
# Connect to Global Catalog to get details of all trusted domain users
#
# $ldap = Net::LDAP->new( $server,
# port => 3268,
$ldap = Net::LDAPS->new( $server,
port => 3269,
timeout => 2,
verify => 'never',
version => 3) or die "$@";
# Setup Kerberos cache
Authen::Krb5::init_context();
my $ccache_name = "FILE:/tmp/.client.cache.$$";
my $ccache = Authen::Krb5::cc_resolve($ccache_name);
my $kt = Authen::Krb5::kt_resolve('FILE:./clienttest.keytab');
my $princ = Authen::Krb5::parse_name('client/t...@win2003r2.home');
$ccache->initialize($princ);
my $creds = Authen::Krb5::get_init_creds_keytab($princ, $kt);
$ccache->store_cred($creds);
$ENV{'KRB5CCNAME'} = $ccache_name;
$sasl = Authen::SASL->new('GSSAPI', 'user' => '','maxssf' => 0 );
# $sasl = Authen::SASL->new('GSSAPI', 'user' => '''maxssf' => 0 , debug =>
13);
# $ldap->debug(15);
# $ldap->debug(255);
$mesg = $ldap->bind( '',
sasl => $sasl) ;
$mesg->code && die $mesg->error;
$mesg = $ldap->search( # perform a search
base => $bind_path,
filter => "(samaccountname=$user)",
timelimit => 2,
attrs => ['mail',
'samaccountname',
'useraccountcontrol',
'userprincipalname']
);
$ccache->destroy;
$mesg->code && die $mesg->error;
foreach $entry ($mesg->entries) {
$mail = $entry->get_value('mail');
$samaccountname= $entry->get_value('samaccountname');
$useraccountcontrol = $entry->get_value('useraccountcontrol');
$userprincipalname = $entry->get_value('userprincipalname');
}
$mesg = $ldap->unbind; # take down session
my $locked = ($useraccountcontrol & 0x0002)?"Yes":"No" if defined
$useraccountcontrol;
print("Retrieved LDAP Attributes:\n");
print("User-Mail = $mail\n");
print("User-SAM-Accountname = $samaccountname\n");
print("User-Account-Control = $useraccountcontrol\n");
print("User-Account-Locked = $locked \n");
print("User-Principal-name = $userprincipalname\n");