[Date Prev][Date Next] [Chronological] [Thread] [Top]

Cannot start kerberos signing/sealing when using TLS/SSL

To: openldap-technical@openldap.org
Subject: Cannot start kerberos signing/sealing when using TLS/SSL
From: "Jeremiah Martell" <inlovewithgod@gmail.com>
Date: Mon, 8 Dec 2008 11:01:14 -0500
Content-disposition: inline

I'm using openldap, cyrus-sasl, heimdal, and openssl.

I use the standard kerberos "kinit" tool to get my TGT, this is successful.
I use the standard openldap "ldapsearch" tool to attempt to do a
LDAP+GSSAPI over TLS (cert level "demand") search, and I get two
errors.

The first error is an "inappropriate auth", which seems to come from openldap.
The second error is "Cannot start kerberos signing/sealing when using
TLS/SSL", which seems to come from GSSAPI-land.

Interesting facts:

- This fails against Windows 2003 AD.
- But succeeds against a BSD box running an openldap server.

- The following all had the cert level set to "demand"...
-  - LDAP works with the Win2003 AD.
-  - LDAP+SSL works with the Win2003  AD.
-  - LDAP+TLS works with the Win2003 AD.
-  - LDAP+GSSAPI works with the Win2003 AD.
-  - LDAP+GSSAPI+SSL works with the Win2003 AD.
-  - But LDAP+GSSAPI+TLS does NOT work with the Win2003 AD.

- If I switch the cert level to "allow", then LDAP+GSSAPI+TLS works
with Win2003 AD.

It seems everything is ok with my kerberos setup, since LDAP+GSSAPI works.
It seems everything is ok with my certs, since LDAP+SSL and LDAP+TLS
and LDAP+GSSAPI+SSL works.

I'm at a loss as to why this particular case:
LDAP+GSSAPI+TLS (cert level "demand") against Windows 2003 AD
doesn't work.

I tried looking through the openldap, cyrus-sasl, heimdal, and openssl
code for "Cannot start kerberos signing/sealing when using TLS/SSL"
but
I didn't find anything. My guess is that this comes from the server.

The only thing I could find googling was from here:
http://en.gentoo-wiki.com/wiki/Active_Directory_Authentication_using_LDAP
that says:
"GSSAPI Error: Cannot start kerberos signing/sealing when using TLS/SSL
SASL/GSSAPI already encrypts the LDAP traffic, this error is trying to
say TLS/SSL is redundant."

My questions:
(1) Is this simply the fact that Windows 2003 AD doesn't support
LDAP+GSSAPI+TLS (with cert level set to "demand")?
(2) Why would the Win2003 AD server behave properly with SSL but not TLS?
(3) Why does the openldap server work fine, but not the Windows 2003 AD server?
(3) Has this been addressed in some newer release of
openldap/cyrus-sasl/heimdal/openssl code?
(4) Is there anything I could have done wrong in my Win2003 AD setup?
(5) Any other general suggestions/ideas to help?

Thanks,
--
- Jeremiah Martell
http://inlovewithGod.com

Follow-Ups:
- Re: Cannot start kerberos signing/sealing when using TLS/SSL
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Using AD authentication with an external LDAP for authorization
Next by Date: bdb encryption
Index(es):
- Chronological
- Thread