I finally got also SSL working after fixing the mentioned bug
ldapsearch -vvv -H ldaps://w2k3r2.win2003r2.home -Omaxssf=0 -s sub -b
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
ldap_initialize( ldaps://w2k3r2.win2003r2.home:636/??base )
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: A required
input parameter could not be read (Unknown error)
opensuse12:~ > sudo bash
opensuse12:~ # cp /usr/lib64/sasl2/libgssapiv2.so.2.0.25.fix
/usr/lib64/sasl2/libgssapiv2.so.2.0.25
opensuse12:~ # exit
logout
markus@opensuse12:~> ldapsearch -vvv -H
ldaps://w2k3r2.win2003r2.home -Omaxssf=0 -s sub -b DC=WIN2003R2,DC=HOME
"(samaccountname=mm)"
ldap_initialize( ldaps://w2k3r2.win2003r2.home:636/??base )
SASL/GSSAPI authentication started
SASL username: mm@xxxxxxxxxxxxxx
SASL SSF: 0
filter: (samaccountname=mm)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <DC=WIN2003R2,DC=HOME> with scope subtree
# filter: (samaccountname=mm)
# requesting: ALL
#
# Markus Moeller, HomeUsers, win2003r2.home
dn: CN=Markus Moeller,OU=HomeUsers,DC=win2003r2,DC=home
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Markus Moeller
sn: Moeller
....
Markus
"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message
news:kkpml5$v3e$1@xxxxxxxxxxxxx...
Hi
I did test my setup and I do not see any difference with my ldap GSSAPI
authentication when using signing or not. I set signing with:
Enabling LDAP signing for the domain
Log in to the domain controller as a user with administrative privileges.
In Group Policy Object Editor, select Domain Security Policy\Local
Policies\Security options.
Edit the Domain controller: LDAP server signing requirements policy,
select Require signing.
Edit the Network security: LDAP client signing requirements policy, select
Require signing.
ldapsearch -vvv -H ldap://w2k3r2.win2003r2.home -s sub -b
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
ldap_initialize( ldap://w2k3r2.win2003r2.home:389/??base )
SASL/GSSAPI authentication started
SASL username: mm@xxxxxxxxxxxxxx
SASL SSF: 56
SASL data security layer installed.
filter: (samaccountname=mm)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <DC=WIN2003R2,DC=HOME> with scope subtree
# filter: (samaccountname=mm)
# requesting: ALL
#
# Markus Moeller, HomeUsers, win2003r2.home
dn: CN=Markus Moeller,OU=HomeUsers,DC=win2003r2,DC=home
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Markus Moeller
sn: Moeller
....
I could not test TLS/SSL yet because of this bug in cyrus-sasl
https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
Markus
"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message
news:kk4eak$sd2$1@xxxxxxxxxxxxx...
Why don't you use GSSAPI instead of GSS-SPNEGO ? GSSAPI definitely works
with AD as I use it daily.
Markus
"Dan White" <dwhite@xxxxxxx> wrote in message
news:20130410135710.GA6660@xxxxxxxxxxx...
On 04/10/13 17:50 +0800, Cai Fa wrote:
Hi All,
I try to do ldapsearch an Active Directory by GSS-SPNEGO.
ldapsearch -Y GSS-SPNEGO -LLL -s "base" -b ""
supportedSASLMechanisms -h 10.155.60.241 -v
But I got following error:
ldap_initialize( ldap://10.155.60.241 )
SASL/GSS-SPNEGO authentication started
ldap_sasl_interactive_bind_s: More results to return (-15)
It looks like there are some SASL steps need to do, but the client
return an error.
Is there anyone can help me?
Thanks.
My experience with GSS_SPNEGO is that it only works if the remote end is
running OpenLDAP (or presumably any ldap server compiled against cyrus
sasl), and only when the plugin is linked against the mit kerberos
libraries (not heimdal). It does not work for me in any scenario where
the
remote end is an Active Directory server.
Ken has said that GSS-SPNEGO is only intended for use with HTTP (cyrus
imapd caldav support).
--
Dan White