From: Simon Walter<>
Date: Tue, 01 Dec 2009 17:25:18 +0900

joe wrote:
The OP's issue is possibly due to not having the CA's cert on the machine.

Yes, indeed I didn't have it on the client. I've done that now. So I'm
making progress... but I'm not quite there. see below.

I got a different response now using debug level 7. There is a lot of
data. At the end I get:
ldap_sasl_interactive_bind_s: server supports: GSSAPI GSS-SPNEGO
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
(will send the full message if it is necessary - it's just very long)

I did a bit of a search and found some things on this list's archives.
However, I'm not trying to connect an ldap server to an ldap server. So
I only have ldap-utils installed and not the server. Is there some SASL
configuration necessary?

Any ideas? Many thanks!

Older releases of ActiveDirectory don't support GSSAPI on top of SSL. I seem to recall this bug was fixed in the most recent 2008 server release.

Also, binding with SASL/GSSAPI only works if you've already got a TGT for the AD domain. (E.g., you already ran kinit successfully.) Otherwise, you should not be using SASL/GSSAPI. Use -x to get a Simple Bind, and use -D / -W.

  -- Howard Chu
  CTO, Symas Corp. 
  Director, Highland Sun
  Chief Architect, OpenLDAP

Reply via email to