[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: GSSAPI+kerberos5+TLS to Active Directory

To: "andrew hall" <temp01@bluereef.com.au>, <openldap-software@OpenLDAP.org>
Subject: RE: GSSAPI+kerberos5+TLS to Active Directory
From: "Howard Chu" <hyc@highlandsun.com>
Date: Fri, 8 Mar 2002 10:09:58 -0800
Importance: Normal
In-reply-to: <003b01c1c67c$0f69f090$2e01010a@bluereef.local>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of andrew hall

> Hello,
>
> I have been playing with openldap and MS active directory over the past
> couple of days trying to figure out what will and won't work when
> connecting
> SASL and TLS connections from a unix client such as ldapsearch to active
> directory. I have successfully compiled the Openldap 2.0.23 libraries with
> openSSL 0.96c, MIT kerb5 1.2.3, Cyrus SASL 1.5 and tested
> connecting against
> AD to see what comes back.
>
> I successfully get a GSSAPI/kerb5 connection working to AD after
> I use Kinit
> to get the TGT, however I now have a few questions that I hope someone can
> enlighten me with answers to:
>
> 1. I made a user account on AD for my unix host, used a utility called
> Ktutil and generated a keytab file from the account information. This I
> loaded onto my unix host and used KTutil to load the keytab file into
> /etc/keytab. After playing for a while I deleted this file, issued a
> Kdestroy and tried to reconnect again to AD and was still able. It seems
> this file isn't important for client SASL connections? Is this true or is
> something being cached elsewhere on my unix host that holds the
> credentials?

Keytabs are only used by Kerberized servers, not for clients.
>
> 2. Now loading a server side certificate authority on AD and attempting a
> TLS start I observe the following:
>     a. SASL auth doesn't work in this mode I assume because AD doesn't
> support an EXTERNAL SASL mechanism?

Your guess is agood as anyone's when it comes to Microsoft. You might try
querying AD's rootDSE to see what supportedSASLMechanisms it advertises,
but as I recall they only do GSSAPI and SPNEGO.

>     b. TLS with simple auth seems to work although I get a "decode error"
> when the ldapsearch query returns, even though it connects on port 636,
> authenticates and dumps my query successfully. I have NOT loaded
> the server
> side CA cert PEM onto my client even though the debug seems to correctly
> find and accept the CA cert anyway, is this correct? Do I need
> this cert for
> server side auth only?

Not sure what this is about. In general, the client needs access to the
server's CA cert to verify the server's identity.

>     c. Am I REQUIRED to have a client side cert for TLS to work
> with AD?

Client-side certs are always optional. I think for AD they are always
ignored.

> If
> I do a ZZ with ldapsearch the query fails, why?

There's a difference between StartTLS (which the -ZZ options use) and LDAPS
(which is what you generally use on port 636). This is certainly a
Frequently Asked Question and has been answered before. Suffice to say, the
two are mutually exclusive.
>
> Thanks alot!
>
> Kind regards,
>
> Andrew.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Follow-Ups:
- Re: GSSAPI+kerberos5+TLS to Active Directory
  - From: "Wilbur R. Johnson" <wrjohns@sandia.gov>

References:
- GSSAPI+kerberos5+TLS to Active Directory
  - From: "andrew hall" <temp01@bluereef.com.au>

Prev by Date: Re: GSSAPI+kerberos5+TLS to Active Directory
Next by Date: Re: GSSAPI+kerberos5+TLS to Active Directory
Index(es):
- Chronological
- Thread