Thanks for letting me know that it's an ok use case. The back end is AD, but it is a "black box" to me. I have access, but the event viewer is empty. It does work if I use Kerberos only or TLS with simple bind through. Is there anything you can suggest that I can do on the server side to show me what it may be complaining about?
Thanks for your help! Kris On Tue, Oct 7, 2014 at 10:31 AM, Howard Chu <[email protected]> wrote: > Kristof Takacs wrote: > >> Is the usecase of SASL authentication with Kerberos to the LDAP server >> and TLS >> to the LDAP server for all other communication a valid one? >> > > Certainly it is valid, and has worked in the past. Just keep in mind that > what you've described here is SASL/GSSAPI + TLS on the same session. Not > all LDAP servers support that, M$ AD is known to have failed on that in the > past. It has been tested to work fine in OpenLDAP before. > > I have not personally tested with the version of Cyrus SASL and Heimdal > Kerberos you mentioned, so no comment on the current state of things. > >> >> Thanks, >> Kris >> >> >> >> On Mon, Oct 6, 2014 at 2:27 PM, Dan White <[email protected] >> <mailto:[email protected]>> wrote: >> >> On 10/06/14 13:24 -0500, Dan White wrote: >> >> There is a known bug in Cyrus SASL which triggers this problem: >> >> https://bugzilla.cyrusimap.__org/show_bug.cgi?id=3480 >> <https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480> >> >> If adding "-O maxssf=0" to your ldapsearch command, when using >> both >> Kerberos and TLS, works then that's likely the culprit. >> >> >> Apparently I can't read my own bug reports. This may or may not be >> your >> issue. >> >> -- >> Dan White >> >> >> > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ >
