ldapsearch with GSS-SPNEGO
Markus Moeller
huaraz at moeller.plus.com
Wed Apr 10 15:25:03 EDT 2013
Why don't you use GSSAPI instead of GSS-SPNEGO ? GSSAPI definitely works
with AD as I use it daily.
Markus
"Dan White" <dwhite at olp.net> wrote in message
news:20130410135710.GA6660 at dan.olp.net...
On 04/10/13 17:50 +0800, Cai Fa wrote:
>Hi All,
>I try to do ldapsearch an Active Directory by GSS-SPNEGO.
>> ldapsearch -Y GSS-SPNEGO -LLL -s "base" -b "" supportedSASLMechanisms -h
>> 10.155.60.241 -v
>
>But I got following error:
>ldap_initialize( ldap://10.155.60.241 )
>SASL/GSS-SPNEGO authentication started
>ldap_sasl_interactive_bind_s: More results to return (-15)
>
>It looks like there are some SASL steps need to do, but the client
>return an error.
>
>Is there anyone can help me?
>Thanks.
My experience with GSS_SPNEGO is that it only works if the remote end is
running OpenLDAP (or presumably any ldap server compiled against cyrus
sasl), and only when the plugin is linked against the mit kerberos
libraries (not heimdal). It does not work for me in any scenario where the
remote end is an Active Directory server.
Ken has said that GSS-SPNEGO is only intended for use with HTTP (cyrus
imapd caldav support).
--
Dan White
More information about the Cyrus-sasl
mailing list