Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Kerberos authentication to Active Directory with SSL enrcyption
708 views
Skip to first unread message
Markus Moeller
Mar 8, 2014, 8:17:42 AM3/8/14
to kerb...@mit.edu
Hi,
I wonder if someone can point me to a way to achieve an ldaps connection
to Active Directory with Kerberos (or GSSAPI ).
SASL/GSSAPI seems broken and nobody seems to mind.
ldapsearch -H ldaps://w2k3r2.win2003r2.home -Omaxssf=0 -s sub -b
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: A required
input parameter could not be read (Unknown error)
Thank you
Markus
I wonder if someone can point me to a way to achieve an ldaps connection
to Active Directory with Kerberos (or GSSAPI ).
SASL/GSSAPI seems broken and nobody seems to mind.
ldapsearch -H ldaps://w2k3r2.win2003r2.home -Omaxssf=0 -s sub -b
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: A required
input parameter could not be read (Unknown error)
Thank you
Markus
Russ Allbery
Mar 8, 2014, 3:19:37 PM3/8/14
to Markus Moeller, kerb...@mit.edu
"Markus Moeller" <hua...@moeller.plus.com> writes:
> I wonder if someone can point me to a way to achieve an ldaps connection
> to Active Directory with Kerberos (or GSSAPI ).
> SASL/GSSAPI seems broken and nobody seems to mind.
Well, I do this all the time to our Active Directory server, so I know it
> I wonder if someone can point me to a way to achieve an ldaps connection
> to Active Directory with Kerberos (or GSSAPI ).
> SASL/GSSAPI seems broken and nobody seems to mind.
works. Our experience is that you have to use TLS (which you appear to be
doing), and you need to specify minssf=0 and maxssf=0 because Active
Directory doesn't support a SASL privacy layer when TLS is in use. But it
shouldn't require anything beyond that.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Simo Sorce
Mar 8, 2014, 4:01:18 PM3/8/14
to Russ Allbery, Markus Moeller, kerb...@mit.edu
On Sat, 2014-03-08 at 12:19 -0800, Russ Allbery wrote:
> "Markus Moeller" <hua...@moeller.plus.com> writes:
>
> > I wonder if someone can point me to a way to achieve an ldaps connection
> > to Active Directory with Kerberos (or GSSAPI ).
>
> > SASL/GSSAPI seems broken and nobody seems to mind.
>
> Well, I do this all the time to our Active Directory server, so I know it
> works. Our experience is that you have to use TLS (which you appear to be
> doing), and you need to specify minssf=0 and maxssf=0 because Active
> Directory doesn't support a SASL privacy layer when TLS is in use. But it
> shouldn't require anything beyond that.
Indeed Active Directory support only one privacy layer, you have to
> "Markus Moeller" <hua...@moeller.plus.com> writes:
>
> > I wonder if someone can point me to a way to achieve an ldaps connection
> > to Active Directory with Kerberos (or GSSAPI ).
>
> > SASL/GSSAPI seems broken and nobody seems to mind.
>
> Well, I do this all the time to our Active Directory server, so I know it
> works. Our experience is that you have to use TLS (which you appear to be
> doing), and you need to specify minssf=0 and maxssf=0 because Active
> Directory doesn't support a SASL privacy layer when TLS is in use. But it
> shouldn't require anything beyond that.
choose TLS or GSSAPI, can't do both.
However if you choose GSSAPI, Active Directory is a bit stubbornly
strict in the meaning of privacy vs confidentiality bits, so if you use
a library like cyrus-sasl you need to pass to it the "ad_compat" option,
or some Active Directory servers with stricter policies may refuse to
connect.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
Markus Moeller
Mar 8, 2014, 7:28:32 PM3/8/14
to Simo Sorce, Russ Allbery, kerb...@mit.edu
Hi Simo, Hi Russ,
Thank you for your replies. There was a change in the sasl libraries which
seems to have broken it. I posted the below to the sasl mailing list with
no response. I know it used to work, but not anymore. Which versions do you
use ?
I am running OpenSuse 12.3 with openldap 2.4.33 and cyrus-sasl 1.2.25 and
observe the following:
This authenticates the user and encrypts the traffic via the gssapi ( This
works)
ldapsearch -H ldap://w2k3r2.win2003r2.home -Omaxssf=56 -s sub -b
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
This should authenticate the user but not encrypt the traffic (This fails)
ldapsearch -H ldap://w2k3r2.win2003r2.home -Omaxssf=0 -s sub -b
SSL (This fails)
ldapsearch -H ldaps://w2k3r2.win2003r2.home -Omaxssf=0 -s sub -b
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: A required
input parameter could not be read (Unknown error)
This should authenticate the user with gssapi but encrypt the traffic with
SSL (This fails)
ldapsearch -H ldaps://w2k3r2.win2003r2.home -Omaxssf=56 -s sub -b
(https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480) make all 4 cases
work. May I ask why the fix is not correct/applied. It really limits
openldap/cyrus-sasl and makes it useless for many environments with Active
Directory and enforced security (i.e. SSL)
Thank you
Markus
Thank you for your replies. There was a change in the sasl libraries which
seems to have broken it. I posted the below to the sasl mailing list with
no response. I know it used to work, but not anymore. Which versions do you
use ?
I am running OpenSuse 12.3 with openldap 2.4.33 and cyrus-sasl 1.2.25 and
observe the following:
This authenticates the user and encrypts the traffic via the gssapi ( This
works)
ldapsearch -H ldap://w2k3r2.win2003r2.home -Omaxssf=56 -s sub -b
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
This should authenticate the user but not encrypt the traffic (This fails)
ldapsearch -H ldap://w2k3r2.win2003r2.home -Omaxssf=0 -s sub -b
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: A required
input parameter could not be read (Unknown error)
This should authenticate the user with gssapi but encrypt the traffic with
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: A required
input parameter could not be read (Unknown error)
SSL (This fails)
ldapsearch -H ldaps://w2k3r2.win2003r2.home -Omaxssf=0 -s sub -b
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: A required
input parameter could not be read (Unknown error)
SSL (This fails)
ldapsearch -H ldaps://w2k3r2.win2003r2.home -Omaxssf=56 -s sub -b
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: A required
input parameter could not be read (Unknown error)
Applying the “fix” from Bug 3480
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: A required
input parameter could not be read (Unknown error)
(https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480) make all 4 cases
work. May I ask why the fix is not correct/applied. It really limits
openldap/cyrus-sasl and makes it useless for many environments with Active
Directory and enforced security (i.e. SSL)
Thank you
Markus
0 new messages