From: Simon Walter<simon.wal...@hokkaidotracks.com>
Date: Tue, 01 Dec 2009 17:25:18 +0900

joe wrote:
The OP's issue is possibly due to not having the CA's cert on the machine.


Yes, indeed I didn't have it on the client. I've done that now. So I'm
making progress... but I'm not quite there. see below.

I got a different response now using debug level 7. There is a lot of
data. At the end I get:
-----
ldap_sasl_interactive_bind_s: server supports: GSSAPI GSS-SPNEGO
EXTERNAL DIGEST-MD5
ldap_int_sasl_bind: GSSAPI GSS-SPNEGO EXTERNAL DIGEST-MD5
ldap_int_sasl_open: host=adserver.domain.com
SASL/GSSAPI authentication started
ldap_err2string
ldap_sasl_interactive_bind_s: Local error (-2)
-----
(will send the full message if it is necessary - it's just very long)

I did a bit of a search and found some things on this list's archives.
However, I'm not trying to connect an ldap server to an ldap server. So
I only have ldap-utils installed and not the server. Is there some SASL
configuration necessary?

Any ideas? Many thanks!

Older releases of ActiveDirectory don't support GSSAPI on top of SSL. I seem to recall this bug was fixed in the most recent 2008 server release.

Also, binding with SASL/GSSAPI only works if you've already got a TGT for the AD domain. (E.g., you already ran kinit successfully.) Otherwise, you should not be using SASL/GSSAPI. Use -x to get a Simple Bind, and use -D / -W.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Reply via email to