ldapsearch with GSS-SPNEGO

Markus Moeller huaraz at moeller.plus.com
Thu Apr 18 16:56:08 EDT 2013


Hi

  I did test my setup and I do not see any difference with my ldap GSSAPI 
authentication when using signing or not. I set signing with:

Enabling LDAP signing for the domain

Log in to the domain controller as a user with administrative privileges.
In Group Policy Object Editor, select Domain Security Policy\Local 
Policies\Security options.
Edit the Domain controller: LDAP server signing requirements policy, select 
Require signing.
Edit the Network security: LDAP client signing requirements policy, select 
Require signing.


 ldapsearch -vvv -H ldap://w2k3r2.win2003r2.home -s sub -b 
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
ldap_initialize( ldap://w2k3r2.win2003r2.home:389/??base )
SASL/GSSAPI authentication started
SASL username: mm at WIN2003R2.HOME
SASL SSF: 56
SASL data security layer installed.
filter: (samaccountname=mm)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <DC=WIN2003R2,DC=HOME> with scope subtree
# filter: (samaccountname=mm)
# requesting: ALL
#

# Markus Moeller, HomeUsers, win2003r2.home
dn: CN=Markus Moeller,OU=HomeUsers,DC=win2003r2,DC=home
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Markus Moeller
sn: Moeller
....

I could not test TLS/SSL yet because of this bug in cyrus-sasl

https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480

Markus

"Markus Moeller" <huaraz at moeller.plus.com> wrote in message 
news:kk4eak$sd2$1 at ger.gmane.org...
> Why don't you use GSSAPI instead of GSS-SPNEGO ?  GSSAPI definitely works 
> with AD as I use it daily.
>
> Markus
>
> "Dan White" <dwhite at olp.net> wrote in message 
> news:20130410135710.GA6660 at dan.olp.net...
> On 04/10/13 17:50 +0800, Cai Fa wrote:
>>Hi All,
>>I try to do ldapsearch an Active Directory by GSS-SPNEGO.
>>> ldapsearch -Y GSS-SPNEGO -LLL -s "base" -b "" supportedSASLMechanisms -h 
>>> 10.155.60.241 -v
>>
>>But I got following error:
>>ldap_initialize( ldap://10.155.60.241 )
>>SASL/GSS-SPNEGO authentication started
>>ldap_sasl_interactive_bind_s: More results to return (-15)
>>
>>It looks like there are some SASL steps need to do, but the client
>>return an error.
>>
>>Is there anyone can help me?
>>Thanks.
>
> My experience with GSS_SPNEGO is that it only works if the remote end is
> running OpenLDAP (or presumably any ldap server compiled against cyrus
> sasl), and only when the plugin is linked against the mit kerberos
> libraries (not heimdal). It does not work for me in any scenario where the
> remote end is an Active Directory server.
>
> Ken has said that GSS-SPNEGO is only intended for use with HTTP (cyrus
> imapd caldav support).
>
> -- 
> Dan White
>
>
> 




More information about the Cyrus-sasl mailing list