Howard, Thanks for the confirmation.
I read the option for SASL and I didn't find the option that I should use. The *SASL_SECPROPS *option seems to the be one to use, but in that case it seems like I can turn off plain text rather then turn it on. The gssapi section does look right as well, but it does not look like I build with HAVE_GSSAPI option. Can you please point me to the section I may be missing? Thanks, Kris On Tue, Oct 7, 2014 at 2:26 PM, Howard Chu <[email protected]> wrote: > Kristof Takacs wrote: > >> Hello, >> > > You should have said you were using AD from the beginning, and saved us > all a lot of time. Your problem has nothing to do with "OpenLDAP, SASL and > TLS" and everything to do with Active Directory and its (lack of) support > for SASL and TLS. > > I just came across this: "While Active Directory permits SASL binds to be >> performed on an SSL/TLS-protected connection, it does not permit the use >> of >> SASL-layer confidentiality/integrity protection mechanisms on such a >> connection." (http://msdn.microsoft.com/en-us/library/cc223507.aspx). >> >> Could this be my issue? >> > > Obviously yes. > > Is there a way to turn off the SASL-layer >> confidentiality/integrity protection mechanisms when I use openLDAP? >> > > Read the ldap.conf(5) manpage. > >> >> Thanks, >> Kris >> >> On Tue, Oct 7, 2014 at 12:11 PM, Kristof Takacs <[email protected] >> <mailto:[email protected]>> wrote: >> >> Thanks for letting me know that it's an ok use case. >> >> The back end is AD, but it is a "black box" to me. I have access, >> but the >> event viewer is empty. It does work if I use Kerberos only or TLS >> with >> simple bind through. Is there anything you can suggest that I can do >> on >> the server side to show me what it may be complaining about? >> >> Thanks for your help! >> Kris >> >> On Tue, Oct 7, 2014 at 10:31 AM, Howard Chu <[email protected] >> <mailto:[email protected]>> wrote: >> >> Kristof Takacs wrote: >> >> Is the usecase of SASL authentication with Kerberos to the >> LDAP >> server and TLS >> to the LDAP server for all other communication a valid one? >> >> >> Certainly it is valid, and has worked in the past. Just keep in >> mind >> that what you've described here is SASL/GSSAPI + TLS on the same >> session. Not all LDAP servers support that, M$ AD is known to have >> failed on that in the past. It has been tested to work fine in >> OpenLDAP before. >> >> I have not personally tested with the version of Cyrus SASL and >> Heimdal Kerberos you mentioned, so no comment on the current >> state of >> things. >> >> >> Thanks, >> Kris >> >> >> >> On Mon, Oct 6, 2014 at 2:27 PM, Dan White <[email protected] >> <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> wrote: >> >> On 10/06/14 13:24 -0500, Dan White wrote: >> >> There is a known bug in Cyrus SASL which triggers >> this >> problem: >> >> https://bugzilla.cyrusimap.____org/show_bug.cgi?id=3480 >> <https://bugzilla.cyrusimap.__ >> org/show_bug.cgi?id=3480 >> <https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480>> >> >> If adding "-O maxssf=0" to your ldapsearch command, >> when >> using both >> Kerberos and TLS, works then that's likely the >> culprit. >> >> >> Apparently I can't read my own bug reports. This may or >> may >> not be your >> issue. >> >> -- >> Dan White >> > > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ >
