Hi Markus, I guess you don't perform "gpupdate /force" in cmd. And you configuration on AD didn't take effect. On Fri, Apr 19, 2013 at 4:56 AM, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: > Hi > > I did test my setup and I do not see any difference with my ldap GSSAPI > authentication when using signing or not. I set signing with: > > Enabling LDAP signing for the domain > > Log in to the domain controller as a user with administrative privileges. > In Group Policy Object Editor, select Domain Security Policy\Local > Policies\Security options. > Edit the Domain controller: LDAP server signing requirements policy, select > Require signing. > Edit the Network security: LDAP client signing requirements policy, select > Require signing. > > > ldapsearch -vvv -H ldap://w2k3r2.win2003r2.home -s sub -b > DC=WIN2003R2,DC=HOME "(samaccountname=mm)" > ldap_initialize( ldap://w2k3r2.win2003r2.home:389/??base ) > SASL/GSSAPI authentication started > SASL username: mm@xxxxxxxxxxxxxx > SASL SSF: 56 > SASL data security layer installed. > filter: (samaccountname=mm) > requesting: All userApplication attributes > # extended LDIF > # > # LDAPv3 > # base <DC=WIN2003R2,DC=HOME> with scope subtree > # filter: (samaccountname=mm) > # requesting: ALL > # > > # Markus Moeller, HomeUsers, win2003r2.home > dn: CN=Markus Moeller,OU=HomeUsers,DC=win2003r2,DC=home > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: Markus Moeller > sn: Moeller > .... > > I could not test TLS/SSL yet because of this bug in cyrus-sasl > > https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480 > > Markus > > "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message > news:kk4eak$sd2$1@xxxxxxxxxxxxx... > >> Why don't you use GSSAPI instead of GSS-SPNEGO ? GSSAPI definitely works >> with AD as I use it daily. >> >> Markus >> >> "Dan White" <dwhite@xxxxxxx> wrote in message >> news:20130410135710.GA6660@xxxxxxxxxxx... >> On 04/10/13 17:50 +0800, Cai Fa wrote: >>> >>> Hi All, >>> I try to do ldapsearch an Active Directory by GSS-SPNEGO. >>>> >>>> ldapsearch -Y GSS-SPNEGO -LLL -s "base" -b "" supportedSASLMechanisms -h >>>> 10.155.60.241 -v >>> >>> >>> But I got following error: >>> ldap_initialize( ldap://10.155.60.241 ) >>> SASL/GSS-SPNEGO authentication started >>> ldap_sasl_interactive_bind_s: More results to return (-15) >>> >>> It looks like there are some SASL steps need to do, but the client >>> return an error. >>> >>> Is there anyone can help me? >>> Thanks. >> >> >> My experience with GSS_SPNEGO is that it only works if the remote end is >> running OpenLDAP (or presumably any ldap server compiled against cyrus >> sasl), and only when the plugin is linked against the mit kerberos >> libraries (not heimdal). It does not work for me in any scenario where the >> remote end is an Active Directory server. >> >> Ken has said that GSS-SPNEGO is only intended for use with HTTP (cyrus >> imapd caldav support). >> >> -- >> Dan White >> >> >> > >
