ldapsearch with GSS-SPNEGO

Markus Moeller huaraz at moeller.plus.com
Mon May 6 06:27:28 EDT 2013


I can try again with gpupdate on my AD server. Is there anything in the logs 
I should see that signing is enabled ?

Markus

----- Original Message ----- 
From: "Cai Fa" <hellofacaige at gmail.com>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Cc: <cyrus-sasl at lists.andrew.cmu.edu>
Sent: Monday, May 06, 2013 3:44 AM
Subject: Re: ldapsearch with GSS-SPNEGO


> Hi Markus,
> I guess you don't perform "gpupdate /force" in cmd.
> And you configuration on AD didn't take effect.
>
> On Fri, Apr 19, 2013 at 4:56 AM, Markus Moeller <huaraz at moeller.plus.com> 
> wrote:
>> Hi
>>
>>  I did test my setup and I do not see any difference with my ldap GSSAPI
>> authentication when using signing or not. I set signing with:
>>
>> Enabling LDAP signing for the domain
>>
>> Log in to the domain controller as a user with administrative privileges.
>> In Group Policy Object Editor, select Domain Security Policy\Local
>> Policies\Security options.
>> Edit the Domain controller: LDAP server signing requirements policy, 
>> select
>> Require signing.
>> Edit the Network security: LDAP client signing requirements policy, 
>> select
>> Require signing.
>>
>>
>> ldapsearch -vvv -H ldap://w2k3r2.win2003r2.home -s sub -b
>> DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
>> ldap_initialize( ldap://w2k3r2.win2003r2.home:389/??base )
>> SASL/GSSAPI authentication started
>> SASL username: mm at WIN2003R2.HOME
>> SASL SSF: 56
>> SASL data security layer installed.
>> filter: (samaccountname=mm)
>> requesting: All userApplication attributes
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <DC=WIN2003R2,DC=HOME> with scope subtree
>> # filter: (samaccountname=mm)
>> # requesting: ALL
>> #
>>
>> # Markus Moeller, HomeUsers, win2003r2.home
>> dn: CN=Markus Moeller,OU=HomeUsers,DC=win2003r2,DC=home
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: Markus Moeller
>> sn: Moeller
>> ....
>>
>> I could not test TLS/SSL yet because of this bug in cyrus-sasl
>>
>> https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
>>
>> Markus
>>
>> "Markus Moeller" <huaraz at moeller.plus.com> wrote in message
>> news:kk4eak$sd2$1 at ger.gmane.org...
>>
>>> Why don't you use GSSAPI instead of GSS-SPNEGO ?  GSSAPI definitely 
>>> works
>>> with AD as I use it daily.
>>>
>>> Markus
>>>
>>> "Dan White" <dwhite at olp.net> wrote in message
>>> news:20130410135710.GA6660 at dan.olp.net...
>>> On 04/10/13 17:50 +0800, Cai Fa wrote:
>>>>
>>>> Hi All,
>>>> I try to do ldapsearch an Active Directory by GSS-SPNEGO.
>>>>>
>>>>> ldapsearch -Y GSS-SPNEGO -LLL -s "base" -b "" 
>>>>> supportedSASLMechanisms -h
>>>>> 10.155.60.241 -v
>>>>
>>>>
>>>> But I got following error:
>>>> ldap_initialize( ldap://10.155.60.241 )
>>>> SASL/GSS-SPNEGO authentication started
>>>> ldap_sasl_interactive_bind_s: More results to return (-15)
>>>>
>>>> It looks like there are some SASL steps need to do, but the client
>>>> return an error.
>>>>
>>>> Is there anyone can help me?
>>>> Thanks.
>>>
>>>
>>> My experience with GSS_SPNEGO is that it only works if the remote end is
>>> running OpenLDAP (or presumably any ldap server compiled against cyrus
>>> sasl), and only when the plugin is linked against the mit kerberos
>>> libraries (not heimdal). It does not work for me in any scenario where 
>>> the
>>> remote end is an Active Directory server.
>>>
>>> Ken has said that GSS-SPNEGO is only intended for use with HTTP (cyrus
>>> imapd caldav support).
>>>
>>> --
>>> Dan White
>>>
>>>
>>>
>>
>>
>
> 




More information about the Cyrus-sasl mailing list