ldapsearch with GSS-SPNEGO
Markus Moeller
huaraz at moeller.plus.com
Mon May 6 18:51:47 EDT 2013
Hi Cai,
I finally got it set and if I use maxssf= 0 or 56 with ldap I get
ldapsearch -vvv -H ldap://w2k3r2.win2003r2.home -Omaxssf=56 -s sub -b
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
ldap_initialize( ldap://w2k3r2.win2003r2.home:389/??base )
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Strong(er) authentication required (8)
additional info: 00002028: LdapErr: DSID-0C09018A, comment: The
server requires binds to turn on integrity checking if SSL\TLS are not
already active on the connection, data 0, vece
but if I use maxssf=0 and ssl it works BUT it requires a fix in sasl as
mentioned before. I know older sasl versions worked fine, the newer seems
broken.
opensuse12:/usr/lib64/sasl2 # ldapsearch -vvv -H
ldaps://w2k3r2.win2003r2.home -Omaxssf=0 -s sub -b DC=WIN2003R2,DC=HOME
"(samaccountname=mm)"
ldap_initialize( ldaps://w2k3r2.win2003r2.home:636/??base )
SASL/GSSAPI authentication started
SASL username: mm at WIN2003R2.HOME
SASL SSF: 0
filter: (samaccountname=mm)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <DC=WIN2003R2,DC=HOME> with scope subtree
# filter: (samaccountname=mm)
# requesting: ALL
#
# Markus Moeller, HomeUsers, win2003r2.home
dn: CN=Markus Moeller,OU=HomeUsers,DC=win2003r2,DC=home
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Markus Moeller
sn: Moeller
Markus
"Markus Moeller" <huaraz at moeller.plus.com> wrote in message
news:6CD33506CBEF43C9B140F1C7D633F490 at VAIOLaptop...
> Hi Cai,
>
> It seems I can't set the domain ldap signing policy. I have set the
> signing required in the Domain security policy, but when I look at the
> local security policy with gpedit it is still set to none.
>
> Markus
>
> ----- Original Message -----
> From: "Cai Fa" <hellofacaige at gmail.com>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Cc: <cyrus-sasl at lists.andrew.cmu.edu>
> Sent: Monday, May 06, 2013 3:44 AM
> Subject: Re: ldapsearch with GSS-SPNEGO
>
>
>> Hi Markus,
>> I guess you don't perform "gpupdate /force" in cmd.
>> And you configuration on AD didn't take effect.
>>
>> On Fri, Apr 19, 2013 at 4:56 AM, Markus Moeller <huaraz at moeller.plus.com>
>> wrote:
>>> Hi
>>>
>>> I did test my setup and I do not see any difference with my ldap GSSAPI
>>> authentication when using signing or not. I set signing with:
>>>
>>> Enabling LDAP signing for the domain
>>>
>>> Log in to the domain controller as a user with administrative
>>> privileges.
>>> In Group Policy Object Editor, select Domain Security Policy\Local
>>> Policies\Security options.
>>> Edit the Domain controller: LDAP server signing requirements policy,
>>> select
>>> Require signing.
>>> Edit the Network security: LDAP client signing requirements policy,
>>> select
>>> Require signing.
>>>
>>>
>>> ldapsearch -vvv -H ldap://w2k3r2.win2003r2.home -s sub -b
>>> DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
>>> ldap_initialize( ldap://w2k3r2.win2003r2.home:389/??base )
>>> SASL/GSSAPI authentication started
>>> SASL username: mm at WIN2003R2.HOME
>>> SASL SSF: 56
>>> SASL data security layer installed.
>>> filter: (samaccountname=mm)
>>> requesting: All userApplication attributes
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <DC=WIN2003R2,DC=HOME> with scope subtree
>>> # filter: (samaccountname=mm)
>>> # requesting: ALL
>>> #
>>>
>>> # Markus Moeller, HomeUsers, win2003r2.home
>>> dn: CN=Markus Moeller,OU=HomeUsers,DC=win2003r2,DC=home
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> cn: Markus Moeller
>>> sn: Moeller
>>> ....
>>>
>>> I could not test TLS/SSL yet because of this bug in cyrus-sasl
>>>
>>> https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
>>>
>>> Markus
>>>
>>> "Markus Moeller" <huaraz at moeller.plus.com> wrote in message
>>> news:kk4eak$sd2$1 at ger.gmane.org...
>>>
>>>> Why don't you use GSSAPI instead of GSS-SPNEGO ? GSSAPI definitely
>>>> works
>>>> with AD as I use it daily.
>>>>
>>>> Markus
>>>>
>>>> "Dan White" <dwhite at olp.net> wrote in message
>>>> news:20130410135710.GA6660 at dan.olp.net...
>>>> On 04/10/13 17:50 +0800, Cai Fa wrote:
>>>>>
>>>> Hi All,
>>>>> I try to do ldapsearch an Active Directory by GSS-SPNEGO.
>>>>>>
>>>>>> ldapsearch -Y GSS-SPNEGO -LLL -s "base" -b ""
>>>>>> supportedSASLMechanisms -h
>>>>>> 10.155.60.241 -v
>>>>>
>>>>>
>>>>> But I got following error:
>>>>> ldap_initialize( ldap://10.155.60.241 )
>>>>> SASL/GSS-SPNEGO authentication started
>>>>> ldap_sasl_interactive_bind_s: More results to return (-15)
>>>>>
>>>>> It looks like there are some SASL steps need to do, but the client
>>>>> return an error.
>>>>>
>>>>> Is there anyone can help me?
>>>>> Thanks.
>>>>
>>>>
>>>> My experience with GSS_SPNEGO is that it only works if the remote end
>>>> is
>>>> running OpenLDAP (or presumably any ldap server compiled against cyrus
>>>> sasl), and only when the plugin is linked against the mit kerberos
>>>> libraries (not heimdal). It does not work for me in any scenario where
>>>> the
>>>> remote end is an Active Directory server.
>>>>
>>>> Ken has said that GSS-SPNEGO is only intended for use with HTTP (cyrus
>>>> imapd caldav support).
>>>>
>>>> --
>>>> Dan White
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
>
More information about the Cyrus-sasl
mailing list