Hello, I just came across this: "While Active Directory permits SASL binds to be performed on an SSL/TLS-protected connection, it does not permit the use of SASL-layer confidentiality/integrity protection mechanisms on such a connection." (http://msdn.microsoft.com/en-us/library/cc223507.aspx).
Could this be my issue? Is there a way to turn off the SASL-layer confidentiality/integrity protection mechanisms when I use openLDAP? Thanks, Kris On Tue, Oct 7, 2014 at 12:11 PM, Kristof Takacs <[email protected]> wrote: > Thanks for letting me know that it's an ok use case. > > The back end is AD, but it is a "black box" to me. I have access, but the > event viewer is empty. It does work if I use Kerberos only or TLS with > simple bind through. Is there anything you can suggest that I can do on > the server side to show me what it may be complaining about? > > Thanks for your help! > Kris > > On Tue, Oct 7, 2014 at 10:31 AM, Howard Chu <[email protected]> wrote: > >> Kristof Takacs wrote: >> >>> Is the usecase of SASL authentication with Kerberos to the LDAP server >>> and TLS >>> to the LDAP server for all other communication a valid one? >>> >> >> Certainly it is valid, and has worked in the past. Just keep in mind that >> what you've described here is SASL/GSSAPI + TLS on the same session. Not >> all LDAP servers support that, M$ AD is known to have failed on that in the >> past. It has been tested to work fine in OpenLDAP before. >> >> I have not personally tested with the version of Cyrus SASL and Heimdal >> Kerberos you mentioned, so no comment on the current state of things. >> >>> >>> Thanks, >>> Kris >>> >>> >>> >>> On Mon, Oct 6, 2014 at 2:27 PM, Dan White <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> On 10/06/14 13:24 -0500, Dan White wrote: >>> >>> There is a known bug in Cyrus SASL which triggers this problem: >>> >>> https://bugzilla.cyrusimap.__org/show_bug.cgi?id=3480 >>> <https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480> >>> >>> If adding "-O maxssf=0" to your ldapsearch command, when using >>> both >>> Kerberos and TLS, works then that's likely the culprit. >>> >>> >>> Apparently I can't read my own bug reports. This may or may not be >>> your >>> issue. >>> >>> -- >>> Dan White >>> >>> >>> >> >> -- >> -- Howard Chu >> CTO, Symas Corp. http://www.symas.com >> Director, Highland Sun http://highlandsun.com/hyc/ >> Chief Architect, OpenLDAP http://www.openldap.org/project/ >> > >
