Re: ldapsearch with GSS-SPNEGO

["Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>]

Hi Cai,

I finally got it set and if I use maxssf= 0 or 56 with ldap I get

ldapsearch -vvv -H ldap://w2k3r2.win2003r2.home  -Omaxssf=56 -s sub -b 
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
ldap_initialize( ldap://w2k3r2.win2003r2.home:389/??base )
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Strong(er) authentication required (8)
       additional info: 00002028: LdapErr: DSID-0C09018A, comment: The 
server requires binds to turn on integrity checking if SSL\TLS are not 
already active on the connection, data 0, vece

but if I use maxssf=0 and ssl it works BUT it requires a fix in sasl as 
mentioned before.  I know older sasl versions worked fine, the newer seems 
broken.


opensuse12:/usr/lib64/sasl2 # ldapsearch -vvv -H 
ldaps://w2k3r2.win2003r2.home  -Omaxssf=0 -s sub -b DC=WIN2003R2,DC=HOME 
"(samaccountname=mm)"
ldap_initialize( ldaps://w2k3r2.win2003r2.home:636/??base )
SASL/GSSAPI authentication started
SASL username: mm@xxxxxxxxxxxxxx
SASL SSF: 0
filter: (samaccountname=mm)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <DC=WIN2003R2,DC=HOME> with scope subtree
# filter: (samaccountname=mm)
# requesting: ALL
#

# Markus Moeller, HomeUsers, win2003r2.home
dn: CN=Markus Moeller,OU=HomeUsers,DC=win2003r2,DC=home
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Markus Moeller
sn: Moeller


Markus

"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message 
news:6CD33506CBEF43C9B140F1C7D633F490@VAIOLaptop...
> Hi Cai,
>
>  It seems I can't set the domain ldap signing policy.   I have set the 
> signing required  in the Domain security policy, but when I look at the 
> local security policy with gpedit it is still set to none.
>
> Markus
>
> ----- Original Message ----- 
> From: "Cai Fa" <hellofacaige@xxxxxxxxx>
> To: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>
> Cc: <cyrus-sasl@xxxxxxxxxxxxxxxxxxxx>
> Sent: Monday, May 06, 2013 3:44 AM
> Subject: Re: ldapsearch with GSS-SPNEGO
>
>
> > Hi Markus,
> > I guess you don't perform "gpupdate /force" in cmd.
> > And you configuration on AD didn't take effect.
> >
> > On Fri, Apr 19, 2013 at 4:56 AM, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> 
> > wrote:
> > > Hi
> > >
> > >  I did test my setup and I do not see any difference with my ldap GSSAPI
> > > authentication when using signing or not. I set signing with:
> > >
> > > Enabling LDAP signing for the domain
> > >
> > > Log in to the domain controller as a user with administrative 
> > > privileges.
> > > In Group Policy Object Editor, select Domain Security Policy\Local
> > > Policies\Security options.
> > > Edit the Domain controller: LDAP server signing requirements policy, 
> > > select
> > > Require signing.
> > > Edit the Network security: LDAP client signing requirements policy, 
> > > select
> > > Require signing.
> > >
> > >
> > > ldapsearch -vvv -H ldap://w2k3r2.win2003r2.home -s sub -b
> > > DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
> > > ldap_initialize( ldap://w2k3r2.win2003r2.home:389/??base )
> > > SASL/GSSAPI authentication started
> > > SASL username: mm@xxxxxxxxxxxxxx
> > > SASL SSF: 56
> > > SASL data security layer installed.
> > > filter: (samaccountname=mm)
> > > requesting: All userApplication attributes
> > > # extended LDIF
> > > #
> > > # LDAPv3
> > > # base <DC=WIN2003R2,DC=HOME> with scope subtree
> > > # filter: (samaccountname=mm)
> > > # requesting: ALL
> > > #
> > >
> > > # Markus Moeller, HomeUsers, win2003r2.home
> > > dn: CN=Markus Moeller,OU=HomeUsers,DC=win2003r2,DC=home
> > > objectClass: top
> > > objectClass: person
> > > objectClass: organizationalPerson
> > > objectClass: user
> > > cn: Markus Moeller
> > > sn: Moeller
> > > ....
> > >
> > > I could not test TLS/SSL yet because of this bug in cyrus-sasl
> > >
> > > https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
> > >
> > > Markus
> > >
> > > "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message
> > > news:kk4eak$sd2$1@xxxxxxxxxxxxx...
> > >
> > > > Why don't you use GSSAPI instead of GSS-SPNEGO ?  GSSAPI definitely 
> > > > works
> > > > with AD as I use it daily.
> > > >
> > > > Markus
> > > >
> > > > "Dan White" <dwhite@xxxxxxx> wrote in message
> > > > news:20130410135710.GA6660@xxxxxxxxxxx...
> > > > On 04/10/13 17:50 +0800, Cai Fa wrote:
> > > > >
> > > > Hi All,
> > > > > I try to do ldapsearch an Active Directory by GSS-SPNEGO.
> > > > > > ldapsearch -Y GSS-SPNEGO -LLL -s "base" -b "" 
> > > > > > supportedSASLMechanisms -h
> > > > > > 10.155.60.241 -v
> > > > >
> > > > >
> > > > > But I got following error:
> > > > > ldap_initialize( ldap://10.155.60.241 )
> > > > > SASL/GSS-SPNEGO authentication started
> > > > > ldap_sasl_interactive_bind_s: More results to return (-15)
> > > > >
> > > > > It looks like there are some SASL steps need to do, but the client
> > > > > return an error.
> > > > >
> > > > > Is there anyone can help me?
> > > > > Thanks.
> > > >
> > > >
> > > > My experience with GSS_SPNEGO is that it only works if the remote end 
> > > > is
> > > > running OpenLDAP (or presumably any ldap server compiled against cyrus
> > > > sasl), and only when the plugin is linked against the mit kerberos
> > > > libraries (not heimdal). It does not work for me in any scenario where 
> > > > the
> > > > remote end is an Active Directory server.
> > > >
> > > > Ken has said that GSS-SPNEGO is only intended for use with HTTP (cyrus
> > > > imapd caldav support).
> > > >
> > > > --
> > > > Dan White