Hi Cai,
It seems I can't set the domain ldap signing policy. I have set the
signing required in the Domain security policy, but when I look at the
local security policy with gpedit it is still set to none.
Markus
----- Original Message -----
From: "Cai Fa" <hellofacaige@xxxxxxxxx>
To: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>
Cc: <cyrus-sasl@xxxxxxxxxxxxxxxxxxxx>
Sent: Monday, May 06, 2013 3:44 AM
Subject: Re: ldapsearch with GSS-SPNEGO
Hi Markus,
I guess you don't perform "gpupdate /force" in cmd.
And you configuration on AD didn't take effect.
On Fri, Apr 19, 2013 at 4:56 AM, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>
wrote:
Hi
I did test my setup and I do not see any difference with my ldap GSSAPI
authentication when using signing or not. I set signing with:
Enabling LDAP signing for the domain
Log in to the domain controller as a user with administrative privileges.
In Group Policy Object Editor, select Domain Security Policy\Local
Policies\Security options.
Edit the Domain controller: LDAP server signing requirements policy,
select
Require signing.
Edit the Network security: LDAP client signing requirements policy,
select
Require signing.
ldapsearch -vvv -H ldap://w2k3r2.win2003r2.home -s sub -b
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
ldap_initialize( ldap://w2k3r2.win2003r2.home:389/??base )
SASL/GSSAPI authentication started
SASL username: mm@xxxxxxxxxxxxxx
SASL SSF: 56
SASL data security layer installed.
filter: (samaccountname=mm)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <DC=WIN2003R2,DC=HOME> with scope subtree
# filter: (samaccountname=mm)
# requesting: ALL
#
# Markus Moeller, HomeUsers, win2003r2.home
dn: CN=Markus Moeller,OU=HomeUsers,DC=win2003r2,DC=home
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Markus Moeller
sn: Moeller
....
I could not test TLS/SSL yet because of this bug in cyrus-sasl
https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
Markus
"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message
news:kk4eak$sd2$1@xxxxxxxxxxxxx...
Why don't you use GSSAPI instead of GSS-SPNEGO ? GSSAPI definitely
works
with AD as I use it daily.
Markus
"Dan White" <dwhite@xxxxxxx> wrote in message
news:20130410135710.GA6660@xxxxxxxxxxx...
On 04/10/13 17:50 +0800, Cai Fa wrote:
Hi All,
I try to do ldapsearch an Active Directory by GSS-SPNEGO.
ldapsearch -Y GSS-SPNEGO -LLL -s "base" -b ""
supportedSASLMechanisms -h
10.155.60.241 -v
But I got following error:
ldap_initialize( ldap://10.155.60.241 )
SASL/GSS-SPNEGO authentication started
ldap_sasl_interactive_bind_s: More results to return (-15)
It looks like there are some SASL steps need to do, but the client
return an error.
Is there anyone can help me?
Thanks.
My experience with GSS_SPNEGO is that it only works if the remote end is
running OpenLDAP (or presumably any ldap server compiled against cyrus
sasl), and only when the plugin is linked against the mit kerberos
libraries (not heimdal). It does not work for me in any scenario where
the
remote end is an Active Directory server.
Ken has said that GSS-SPNEGO is only intended for use with HTTP (cyrus
imapd caldav support).
--
Dan White