I am using Mozilla LDAP library to do SASL binding with SSL encryption against Active Directory. To make it work, it is necessary to set the security option "maxssf=0".
Still, in testing against AD in Windows 2003 Server (or Windows 2000 Server), the binding result is good and bad alternatively, exhibiting a pingpong style. In contrast, if I do the same test against AD in Windows 2008 Server, the binding is always good.
Is a known issue of AD in Windows 2003/2000 Server, and if there is any patch available? Just want to see if anyone in this list has had the same experience as mine.
Thanks,
Xu Qiang
A suggestion, from my past experiences: Have you confirmed that your
"ping-pong" results are always coming from the same AD domain
controller? If not, try tracing the packet traffic, or just increasing
your client-side debug verbosity. If the success vs. failure results
can be correlated to different DCs, this may be a configuration issue
on one of your DCs.
-Ryan
I have tried sasl binding with ssl encryption (unsuccessfully) against two different ADs. One in Windows 2003 Server, and the other is in Windows 2000 Server. This 2003 server and 2000 server are different domain controllers. In contrast, when the same thing is done against AD in Windows 2008 Server (patched with hotfix http://support.microsoft.com/kb/957072), it works perfectly.
Therefore, I guess the problem is due to some bug in Windows 2000/2003 Server. By the way, tracing network packets is quite hard for sasl binding with ssl encryption, coz all the packets are encrypted, not plain LDAP ones.
Thanks,
Xu Qiang