ldapsearch with GSS-SPNEGO

Cai Fa hellofacaige at gmail.com
Sun May 5 22:44:31 EDT 2013


Hi Markus,
I guess you don't perform "gpupdate /force" in cmd.
And you configuration on AD didn't take effect.

On Fri, Apr 19, 2013 at 4:56 AM, Markus Moeller <huaraz at moeller.plus.com> wrote:
> Hi
>
>  I did test my setup and I do not see any difference with my ldap GSSAPI
> authentication when using signing or not. I set signing with:
>
> Enabling LDAP signing for the domain
>
> Log in to the domain controller as a user with administrative privileges.
> In Group Policy Object Editor, select Domain Security Policy\Local
> Policies\Security options.
> Edit the Domain controller: LDAP server signing requirements policy, select
> Require signing.
> Edit the Network security: LDAP client signing requirements policy, select
> Require signing.
>
>
> ldapsearch -vvv -H ldap://w2k3r2.win2003r2.home -s sub -b
> DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
> ldap_initialize( ldap://w2k3r2.win2003r2.home:389/??base )
> SASL/GSSAPI authentication started
> SASL username: mm at WIN2003R2.HOME
> SASL SSF: 56
> SASL data security layer installed.
> filter: (samaccountname=mm)
> requesting: All userApplication attributes
> # extended LDIF
> #
> # LDAPv3
> # base <DC=WIN2003R2,DC=HOME> with scope subtree
> # filter: (samaccountname=mm)
> # requesting: ALL
> #
>
> # Markus Moeller, HomeUsers, win2003r2.home
> dn: CN=Markus Moeller,OU=HomeUsers,DC=win2003r2,DC=home
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Markus Moeller
> sn: Moeller
> ....
>
> I could not test TLS/SSL yet because of this bug in cyrus-sasl
>
> https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
>
> Markus
>
> "Markus Moeller" <huaraz at moeller.plus.com> wrote in message
> news:kk4eak$sd2$1 at ger.gmane.org...
>
>> Why don't you use GSSAPI instead of GSS-SPNEGO ?  GSSAPI definitely works
>> with AD as I use it daily.
>>
>> Markus
>>
>> "Dan White" <dwhite at olp.net> wrote in message
>> news:20130410135710.GA6660 at dan.olp.net...
>> On 04/10/13 17:50 +0800, Cai Fa wrote:
>>>
>>> Hi All,
>>> I try to do ldapsearch an Active Directory by GSS-SPNEGO.
>>>>
>>>> ldapsearch -Y GSS-SPNEGO -LLL -s "base" -b "" supportedSASLMechanisms -h
>>>> 10.155.60.241 -v
>>>
>>>
>>> But I got following error:
>>> ldap_initialize( ldap://10.155.60.241 )
>>> SASL/GSS-SPNEGO authentication started
>>> ldap_sasl_interactive_bind_s: More results to return (-15)
>>>
>>> It looks like there are some SASL steps need to do, but the client
>>> return an error.
>>>
>>> Is there anyone can help me?
>>> Thanks.
>>
>>
>> My experience with GSS_SPNEGO is that it only works if the remote end is
>> running OpenLDAP (or presumably any ldap server compiled against cyrus
>> sasl), and only when the plugin is linked against the mit kerberos
>> libraries (not heimdal). It does not work for me in any scenario where the
>> remote end is an Active Directory server.
>>
>> Ken has said that GSS-SPNEGO is only intended for use with HTTP (cyrus
>> imapd caldav support).
>>
>> --
>> Dan White
>>
>>
>>
>
>


More information about the Cyrus-sasl mailing list