ldapsearch with GSS-SPNEGO

Markus Moeller huaraz at moeller.plus.com
Thu Apr 18 18:01:16 EDT 2013


I finally got also SSL working after fixing the mentioned bug

 ldapsearch -vvv -H ldaps://w2k3r2.win2003r2.home -Omaxssf=0 -s sub -b 
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
ldap_initialize( ldaps://w2k3r2.win2003r2.home:636/??base )
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: A required 
input parameter could not be read (Unknown error)

opensuse12:~ > sudo bash
opensuse12:~ # cp /usr/lib64/sasl2/libgssapiv2.so.2.0.25.fix 
/usr/lib64/sasl2/libgssapiv2.so.2.0.25
opensuse12:~ # exit
logout
markus at opensuse12:~> ldapsearch -vvv -H 
ldaps://w2k3r2.win2003r2.home -Omaxssf=0 -s sub -b DC=WIN2003R2,DC=HOME 
"(samaccountname=mm)"
ldap_initialize( ldaps://w2k3r2.win2003r2.home:636/??base )
SASL/GSSAPI authentication started
SASL username: mm at WIN2003R2.HOME
SASL SSF: 0
filter: (samaccountname=mm)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <DC=WIN2003R2,DC=HOME> with scope subtree
# filter: (samaccountname=mm)
# requesting: ALL
#

# Markus Moeller, HomeUsers, win2003r2.home
dn: CN=Markus Moeller,OU=HomeUsers,DC=win2003r2,DC=home
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Markus Moeller
sn: Moeller
....

Markus


"Markus Moeller" <huaraz at moeller.plus.com> wrote in message 
news:kkpml5$v3e$1 at ger.gmane.org...
> Hi
>
>  I did test my setup and I do not see any difference with my ldap GSSAPI 
> authentication when using signing or not. I set signing with:
>
> Enabling LDAP signing for the domain
>
> Log in to the domain controller as a user with administrative privileges.
> In Group Policy Object Editor, select Domain Security Policy\Local 
> Policies\Security options.
> Edit the Domain controller: LDAP server signing requirements policy, 
> select Require signing.
> Edit the Network security: LDAP client signing requirements policy, select 
> Require signing.
>
>
> ldapsearch -vvv -H ldap://w2k3r2.win2003r2.home -s sub -b 
> DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
> ldap_initialize( ldap://w2k3r2.win2003r2.home:389/??base )
> SASL/GSSAPI authentication started
> SASL username: mm at WIN2003R2.HOME
> SASL SSF: 56
> SASL data security layer installed.
> filter: (samaccountname=mm)
> requesting: All userApplication attributes
> # extended LDIF
> #
> # LDAPv3
> # base <DC=WIN2003R2,DC=HOME> with scope subtree
> # filter: (samaccountname=mm)
> # requesting: ALL
> #
>
> # Markus Moeller, HomeUsers, win2003r2.home
> dn: CN=Markus Moeller,OU=HomeUsers,DC=win2003r2,DC=home
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Markus Moeller
> sn: Moeller
> ....
>
> I could not test TLS/SSL yet because of this bug in cyrus-sasl
>
> https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
>
> Markus
>
> "Markus Moeller" <huaraz at moeller.plus.com> wrote in message 
> news:kk4eak$sd2$1 at ger.gmane.org...
>> Why don't you use GSSAPI instead of GSS-SPNEGO ?  GSSAPI definitely works 
>> with AD as I use it daily.
>>
>> Markus
>>
>> "Dan White" <dwhite at olp.net> wrote in message 
>> news:20130410135710.GA6660 at dan.olp.net...
>> On 04/10/13 17:50 +0800, Cai Fa wrote:
>>>Hi All,
>>>I try to do ldapsearch an Active Directory by GSS-SPNEGO.
>>>> ldapsearch -Y GSS-SPNEGO -LLL -s "base" -b "" 
>>>> supportedSASLMechanisms -h 10.155.60.241 -v
>>>
>>>But I got following error:
>>>ldap_initialize( ldap://10.155.60.241 )
>>>SASL/GSS-SPNEGO authentication started
>>>ldap_sasl_interactive_bind_s: More results to return (-15)
>>>
>>>It looks like there are some SASL steps need to do, but the client
>>>return an error.
>>>
>>>Is there anyone can help me?
>>>Thanks.
>>
>> My experience with GSS_SPNEGO is that it only works if the remote end is
>> running OpenLDAP (or presumably any ldap server compiled against cyrus
>> sasl), and only when the plugin is linked against the mit kerberos
>> libraries (not heimdal). It does not work for me in any scenario where 
>> the
>> remote end is an Active Directory server.
>>
>> Ken has said that GSS-SPNEGO is only intended for use with HTTP (cyrus
>> imapd caldav support).
>>
>> -- 
>> Dan White
>>
>>
>>
>
>
> 




More information about the Cyrus-sasl mailing list