ldapsearch with GSS-SPNEGO

Markus Moeller huaraz at moeller.plus.com
Mon May 6 18:51:47 EDT 2013


Hi Cai,

 I finally got it set and if I use maxssf= 0 or 56 with ldap I get

 ldapsearch -vvv -H ldap://w2k3r2.win2003r2.home  -Omaxssf=56 -s sub -b 
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
ldap_initialize( ldap://w2k3r2.win2003r2.home:389/??base )
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Strong(er) authentication required (8)
        additional info: 00002028: LdapErr: DSID-0C09018A, comment: The 
server requires binds to turn on integrity checking if SSL\TLS are not 
already active on the connection, data 0, vece

but if I use maxssf=0 and ssl it works BUT it requires a fix in sasl as 
mentioned before.  I know older sasl versions worked fine, the newer seems 
broken.


opensuse12:/usr/lib64/sasl2 # ldapsearch -vvv -H 
ldaps://w2k3r2.win2003r2.home  -Omaxssf=0 -s sub -b DC=WIN2003R2,DC=HOME 
"(samaccountname=mm)"
ldap_initialize( ldaps://w2k3r2.win2003r2.home:636/??base )
SASL/GSSAPI authentication started
SASL username: mm at WIN2003R2.HOME
SASL SSF: 0
filter: (samaccountname=mm)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <DC=WIN2003R2,DC=HOME> with scope subtree
# filter: (samaccountname=mm)
# requesting: ALL
#

# Markus Moeller, HomeUsers, win2003r2.home
dn: CN=Markus Moeller,OU=HomeUsers,DC=win2003r2,DC=home
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Markus Moeller
sn: Moeller


Markus

"Markus Moeller" <huaraz at moeller.plus.com> wrote in message 
news:6CD33506CBEF43C9B140F1C7D633F490 at VAIOLaptop...
> Hi Cai,
>
>  It seems I can't set the domain ldap signing policy.   I have set the 
> signing required  in the Domain security policy, but when I look at the 
> local security policy with gpedit it is still set to none.
>
> Markus
>
> ----- Original Message ----- 
> From: "Cai Fa" <hellofacaige at gmail.com>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Cc: <cyrus-sasl at lists.andrew.cmu.edu>
> Sent: Monday, May 06, 2013 3:44 AM
> Subject: Re: ldapsearch with GSS-SPNEGO
>
>
>> Hi Markus,
>> I guess you don't perform "gpupdate /force" in cmd.
>> And you configuration on AD didn't take effect.
>>
>> On Fri, Apr 19, 2013 at 4:56 AM, Markus Moeller <huaraz at moeller.plus.com> 
>> wrote:
>>> Hi
>>>
>>>  I did test my setup and I do not see any difference with my ldap GSSAPI
>>> authentication when using signing or not. I set signing with:
>>>
>>> Enabling LDAP signing for the domain
>>>
>>> Log in to the domain controller as a user with administrative 
>>> privileges.
>>> In Group Policy Object Editor, select Domain Security Policy\Local
>>> Policies\Security options.
>>> Edit the Domain controller: LDAP server signing requirements policy, 
>>> select
>>> Require signing.
>>> Edit the Network security: LDAP client signing requirements policy, 
>>> select
>>> Require signing.
>>>
>>>
>>> ldapsearch -vvv -H ldap://w2k3r2.win2003r2.home -s sub -b
>>> DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
>>> ldap_initialize( ldap://w2k3r2.win2003r2.home:389/??base )
>>> SASL/GSSAPI authentication started
>>> SASL username: mm at WIN2003R2.HOME
>>> SASL SSF: 56
>>> SASL data security layer installed.
>>> filter: (samaccountname=mm)
>>> requesting: All userApplication attributes
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <DC=WIN2003R2,DC=HOME> with scope subtree
>>> # filter: (samaccountname=mm)
>>> # requesting: ALL
>>> #
>>>
>>> # Markus Moeller, HomeUsers, win2003r2.home
>>> dn: CN=Markus Moeller,OU=HomeUsers,DC=win2003r2,DC=home
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> cn: Markus Moeller
>>> sn: Moeller
>>> ....
>>>
>>> I could not test TLS/SSL yet because of this bug in cyrus-sasl
>>>
>>> https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
>>>
>>> Markus
>>>
>>> "Markus Moeller" <huaraz at moeller.plus.com> wrote in message
>>> news:kk4eak$sd2$1 at ger.gmane.org...
>>>
>>>> Why don't you use GSSAPI instead of GSS-SPNEGO ?  GSSAPI definitely 
>>>> works
>>>> with AD as I use it daily.
>>>>
>>>> Markus
>>>>
>>>> "Dan White" <dwhite at olp.net> wrote in message
>>>> news:20130410135710.GA6660 at dan.olp.net...
>>>> On 04/10/13 17:50 +0800, Cai Fa wrote:
>>>>>
>>>> Hi All,
>>>>> I try to do ldapsearch an Active Directory by GSS-SPNEGO.
>>>>>>
>>>>>> ldapsearch -Y GSS-SPNEGO -LLL -s "base" -b "" 
>>>>>> supportedSASLMechanisms -h
>>>>>> 10.155.60.241 -v
>>>>>
>>>>>
>>>>> But I got following error:
>>>>> ldap_initialize( ldap://10.155.60.241 )
>>>>> SASL/GSS-SPNEGO authentication started
>>>>> ldap_sasl_interactive_bind_s: More results to return (-15)
>>>>>
>>>>> It looks like there are some SASL steps need to do, but the client
>>>>> return an error.
>>>>>
>>>>> Is there anyone can help me?
>>>>> Thanks.
>>>>
>>>>
>>>> My experience with GSS_SPNEGO is that it only works if the remote end 
>>>> is
>>>> running OpenLDAP (or presumably any ldap server compiled against cyrus
>>>> sasl), and only when the plugin is linked against the mit kerberos
>>>> libraries (not heimdal). It does not work for me in any scenario where 
>>>> the
>>>> remote end is an Active Directory server.
>>>>
>>>> Ken has said that GSS-SPNEGO is only intended for use with HTTP (cyrus
>>>> imapd caldav support).
>>>>
>>>> --
>>>> Dan White
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
> 




More information about the Cyrus-sasl mailing list