Hi Simo, Hi Russ, Thank you for your replies. There was a change in the sasl libraries which seems to have broken it. I posted the below to the sasl mailing list with no response. I know it used to work, but not anymore. Which versions do you use ?
I am running OpenSuse 12.3 with openldap 2.4.33 and cyrus-sasl 1.2.25 and observe the following: This authenticates the user and encrypts the traffic via the gssapi ( This works) ldapsearch -H ldap://w2k3r2.win2003r2.home -Omaxssf=56 -s sub -b DC=WIN2003R2,DC=HOME "(samaccountname=mm)" This should authenticate the user but not encrypt the traffic (This fails) ldapsearch -H ldap://w2k3r2.win2003r2.home -Omaxssf=0 -s sub -b DC=WIN2003R2,DC=HOME "(samaccountname=mm)" SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error) This should authenticate the user with gssapi but encrypt the traffic with SSL (This fails) ldapsearch -H ldaps://w2k3r2.win2003r2.home -Omaxssf=0 -s sub -b DC=WIN2003R2,DC=HOME "(samaccountname=mm)" SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error) This should authenticate the user with gssapi but encrypt the traffic with SSL (This fails) ldapsearch -H ldaps://w2k3r2.win2003r2.home -Omaxssf=56 -s sub -b DC=WIN2003R2,DC=HOME "(samaccountname=mm)" SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error) Applying the “fix” from Bug 3480 (https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480) make all 4 cases work. May I ask why the fix is not correct/applied. It really limits openldap/cyrus-sasl and makes it useless for many environments with Active Directory and enforced security (i.e. SSL) Thank you Markus -----Original Message----- From: Simo Sorce Sent: Saturday, March 08, 2014 9:01 PM To: Russ Allbery Cc: Markus Moeller ; [email protected] Subject: Re: Kerberos authentication to Active Directory with SSL enrcyption On Sat, 2014-03-08 at 12:19 -0800, Russ Allbery wrote: > "Markus Moeller" <[email protected]> writes: > > > I wonder if someone can point me to a way to achieve an ldaps connection > > to Active Directory with Kerberos (or GSSAPI ). > > > SASL/GSSAPI seems broken and nobody seems to mind. > > Well, I do this all the time to our Active Directory server, so I know it > works. Our experience is that you have to use TLS (which you appear to be > doing), and you need to specify minssf=0 and maxssf=0 because Active > Directory doesn't support a SASL privacy layer when TLS is in use. But it > shouldn't require anything beyond that. Indeed Active Directory support only one privacy layer, you have to choose TLS or GSSAPI, can't do both. However if you choose GSSAPI, Active Directory is a bit stubbornly strict in the meaning of privacy vs confidentiality bits, so if you use a library like cyrus-sasl you need to pass to it the "ad_compat" option, or some Active Directory servers with stricter policies may refuse to connect. Simo. -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
