ldapsearch with GSS-SPNEGO

Markus Moeller huaraz at moeller.plus.com
Wed Apr 10 15:25:03 EDT 2013


Why don't you use GSSAPI instead of GSS-SPNEGO ?  GSSAPI definitely works 
with AD as I use it daily.

Markus

"Dan White" <dwhite at olp.net> wrote in message 
news:20130410135710.GA6660 at dan.olp.net...
On 04/10/13 17:50 +0800, Cai Fa wrote:
>Hi All,
>I try to do ldapsearch an Active Directory by GSS-SPNEGO.
>> ldapsearch -Y GSS-SPNEGO -LLL -s "base" -b "" supportedSASLMechanisms -h 
>> 10.155.60.241 -v
>
>But I got following error:
>ldap_initialize( ldap://10.155.60.241 )
>SASL/GSS-SPNEGO authentication started
>ldap_sasl_interactive_bind_s: More results to return (-15)
>
>It looks like there are some SASL steps need to do, but the client
>return an error.
>
>Is there anyone can help me?
>Thanks.

My experience with GSS_SPNEGO is that it only works if the remote end is
running OpenLDAP (or presumably any ldap server compiled against cyrus
sasl), and only when the plugin is linked against the mit kerberos
libraries (not heimdal). It does not work for me in any scenario where the
remote end is an Active Directory server.

Ken has said that GSS-SPNEGO is only intended for use with HTTP (cyrus
imapd caldav support).

-- 
Dan White




More information about the Cyrus-sasl mailing list