> -----Original Message----- > From: > [email protected] > > [mailto:[email protected] > illa.org] On Behalf Of Markus Moeller > Sent: Friday, April 10, 2009 3:13 AM > To: [email protected] > Subject: Re: SASL authentication > > Why do you want to use SSL if you can use SASL GSSAPI with > sasl secprops maxssf = 56 ? I don't remember the default > for the Mozilla SDK, if it sets maxssf > 0 as default you > need to set it to 0 when using SSL otherwise you have a > conflict of requesting two encryption methods GSSAPI and SSL.
Hi, Marcus: Do you mean GSSAPI binding can't work with SSL? I tried with OpenLDAP utitily, to get the same result. Firstly, I did an SSL binding to verify it works: ============================================== q...@durian(pts/1):/[39]$ ldapsearch -H 'ldaps://13.198.98.35:636' -b 'dc=sesswin2003,dc=com' -s base -x -D 'cn=xuan,cn=users,dc=sesswin2003,dc=com' -w 'Fair123' -s sub -LLL 'cn=qxu' mail dn: CN=qxu,CN=Users,DC=sesswin2003,DC=com mail: [email protected] # refldaps://ForestDnsZones.sesswin2003.com/DC=ForestDnsZones,DC=sesswin2003, DC=com # refldaps://DomainDnsZones.sesswin2003.com/DC=DomainDnsZones,DC=sesswin2003, DC=com # refldaps://sesswin2003.com/CN=Configuration,DC=sesswin2003,DC=com ============================================== Before this operation, I have added the line "TLS_REQCERT never" into the file "/etc/openldap/ldap.conf". Then an SASL binding: ============================================== q...@durian(pts/1):/[40]$ kinit [email protected] Password for [email protected]: q...@durian(pts/1):/[41]$ klist Ticket cache: FILE:/tmp/krb5cc_20153 Default principal: [email protected] Valid starting Expires Service principal 04/13/09 11:00:52 04/13/09 21:03:18 krbtgt/[email protected] renew until 04/14/09 11:00:52 Kerberos 4 ticket cache: /tmp/tkt20153 klist: You have no tickets cached q...@durian(pts/1):/[42]$ ldapsearch -Y GSSAPI -H 'ldap://13.198.98.35' -b 'dc=sesswin2003,dc=com' -s sub -LLL 'cn=qxu' mail SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 56 SASL installing layers dn: CN=qxu,CN=Users,DC=sesswin2003,DC=com mail: [email protected] # refldap://ForestDnsZones.sesswin2003.com/DC=ForestDnsZones,DC=sesswin2003,D C=com # refldap://DomainDnsZones.sesswin2003.com/DC=DomainDnsZones,DC=sesswin2003,D C=com # refldap://sesswin2003.com/CN=Configuration,DC=sesswin2003,DC=com ============================================== It works as expected. Finally, I did a combination of SSL + SASL: ============================================== q...@durian(pts/1):/[44]$ ldapsearch -Y GSSAPI -H 'ldaps://13.198.98.35:636' -b 'dc=sesswin2003,dc=com' -s sub -LLL 'cn=qxu' mail SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Inappropriate authentication (48) additional info: 00002029: LdapErr: DSID-0C09016D, comment: Cannot start kerberos signing/sealing when using TLS/SSL, data 0, vece ============================================== The error is the same as when I use MozLDAP. So, can I say SASL can't work together with SSL? Thanks, Xu Qiang _______________________________________________ dev-tech-ldap mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-ldap
