Re: ldapsearch on AD

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 09:45 AM 9/30/2005, Hudson, Michael wrote:
>Has anyone successfully used ldapsearch to query
>Active Directory using sasl gssapi?

As evident from content in the archives, yes.
http://www.openldap.org/lists/openldap-software/200203/msg00225.html

>If so, what arguments to ldapsearch are required?

For GSSAPI authentication (-Y GSSAPI), the key argument
is the value of -H.  ldapsearch(1) will pass name of the
connected service host to Cyrus SASL as determined through
IP-address-to-domain-name lookup for use in SASL mechanisms.
As this name is used by underlying systems to determine
the service principal to authenticate, you need to ensure
the lookup will result in the appropriate service name.

Beyond that, various SASL security options can be adjusted
through ldapsearch arguments, namely the -O option.

While in your use example you provided a Bind DN name,
and this is provided to the LDAP server by ldapsearch(1),
it *should* have no impact on SASL/GSSAPI authentication
as servers are to ignore the Bind DN during all SASL
authentications (as discussed in the revised LDAP
technical specification).  Of course, your server might
require a Bind DN, and if so, you likely should provide
one.  I only note this as, if this server does ignore
the Bind DN as it should, you might be thinking the
Bind DN as more significant than it might have.  (Whether
the server you are using does/doesn't require a Bind DN,
and if so, what Bind DN, is a topic for discussion on
a list covering that server.)

Beyond that, the rest is left to Cyrus SASL, its SASL/GSSAPI
mechanism implementation, and the underlying GSSAPI and
Kerberos libraries, involved KDCs, and the LDAP server
you are talking to.  See the documentation for each of
these software systems, and use lists for these systems,
to address whatever questions you have in using them.

Kurt