[Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory
Thank you, Christian. As discussed with Andreas, I've added a cyrus-sasl2 task to this bug and assigned him to it. This bug is probably going to involve modifications on cyrus-sasl2 only; after channel binding has been implemented there, we should be able to enable it in openldap by just rebuilding the package. Either way, I'm leaving the openldap task open and assigned to myself just in case. Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912256 Title: Missing channel binding prevents authentication to ActiveDirectory To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1912256/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: openldap (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912256 Title: Missing channel binding prevents authentication to ActiveDirectory To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1912256/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: cyrus-sasl2 (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912256 Title: Missing channel binding prevents authentication to ActiveDirectory To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1912256/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory
** Also affects: cyrus-sasl2 (Ubuntu) Importance: Undecided Status: New ** Changed in: cyrus-sasl2 (Ubuntu) Assignee: (unassigned) => Sergio Durigan Junior (sergiodj) ** Changed in: cyrus-sasl2 (Ubuntu) Assignee: Sergio Durigan Junior (sergiodj) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912256 Title: Missing channel binding prevents authentication to ActiveDirectory To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1912256/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory
Hi, I'm revisiting bugs that have been dormant for too long trying to retriage them. In this case the current situation to me looks like: - openldap change 3cd50fa having landed in v2.5.8 and later - cyrus-sasl change 975edbb6 still isn't in any release AFAICS - that is odd as https://github.com/cyrusimap/cyrus-sasl/pull/601 which it is part of landed - it is in the master branch as expected - but cyrus-sasl-2.1.28 which was tagged much later does not contain it There must be something to understand between cyrus-sasl and cyrus-impad releases that I not know yet :-) $ git range-diff cyrus-sasl-2.1.27..cyrus-sasl-2.1.28 cyrus-sasl-2.1.27..upstream/master ... -: > 51: 975edbb6 Add Channel Binding support for GSSAPI/GSS-SPNEGO I have no experience/insight in their release process. But @Sergio - maybe it is time to revisit that why it has been left out and trying to at least add it to Kinetic if it makes sense. ** Changed in: openldap (Ubuntu) Assignee: (unassigned) => Sergio Durigan Junior (sergiodj) ** Tags added: server-todo -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912256 Title: Missing channel binding prevents authentication to ActiveDirectory To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1912256/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory
I should maybe add the following detail: Channel binding, from all I can tell, is only available via TLS (even conceptually). That is, the issue mentioned in the bug report only happens when using ldaps. In certain cases, it is therefore possible to work around the lack of channel binding by _not using TLS_. Typically, you'll have to set minssf to >=1 if TLS is not used, due to security settings of the LDAP server (AD DC). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912256 Title: Missing channel binding prevents authentication to ActiveDirectory To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1912256/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory
Thanks for taking the time to file this bug and try to make Ubuntu better. I subscribed ubuntu-server and Sergio who has been working on this stack recently to investigate what you described. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912256 Title: Missing channel binding prevents authentication to ActiveDirectory To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1912256/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory
Might have been confusing to write # kinit $ export LDAPSASL_CBINDING=tls-endpoint Both are supposed to be called from the same user. I meant to imply that an existing, valid ticket in the current user's credential cache is required for krb5 authentication via SASL in the ldapwhoami step. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912256 Title: Missing channel binding prevents authentication to ActiveDirectory To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1912256/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs