[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Cannot start kerberos signing/sealing when using TLS/SSL

To: Jeremiah Martell <inlovewithgod@gmail.com>
Subject: Re: Cannot start kerberos signing/sealing when using TLS/SSL
From: Howard Chu <hyc@symas.com>
Date: Mon, 08 Dec 2008 21:02:13 -0800
Cc: openldap-technical@openldap.org
In-reply-to: <233eb300812080801u6af6dd72j54b47ef88fafcf9c@mail.gmail.com>
References: <233eb300812080801u6af6dd72j54b47ef88fafcf9c@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.1b2pre) Gecko/20081115 SeaMonkey/2.0a1pre Firefox/3.0.3

Jeremiah Martell wrote:

I'm using openldap, cyrus-sasl, heimdal, and openssl.


And apparently they are all working correctly.

I use the standard kerberos "kinit" tool to get my TGT, this is successful.
I use the standard openldap "ldapsearch" tool to attempt to do a
LDAP+GSSAPI over TLS (cert level "demand") search, and I get two
errors.

The first error is an "inappropriate auth", which seems to come from openldap.
The second error is "Cannot start kerberos signing/sealing when using
TLS/SSL", which seems to come from GSSAPI-land.

Interesting facts:

- This fails against Windows 2003 AD.


Questions about why Microsoft AD is broken belong in a Microsoft forum.

- But succeeds against a BSD box running an openldap server.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- Cannot start kerberos signing/sealing when using TLS/SSL
  - From: "Jeremiah Martell" <inlovewithgod@gmail.com>

Prev by Date: Re: bdb encryption
Next by Date: Re: bdb encryption
Index(es):
- Chronological
- Thread