GSSAPI+kerberos5+TLS to Active Directory

["andrew hall" <temp01@bluereef.com.au>]

Hello,

I have been playing with openldap and MS active directory over the past
couple of days trying to figure out what will and won't work when connecting
SASL and TLS connections from a unix client such as ldapsearch to active
directory. I have successfully compiled the Openldap 2.0.23 libraries with
openSSL 0.96c, MIT kerb5 1.2.3, Cyrus SASL 1.5 and tested connecting against
AD to see what comes back.

I successfully get a GSSAPI/kerb5 connection working to AD after I use Kinit
to get the TGT, however I now have a few questions that I hope someone can
enlighten me with answers to:

1. I made a user account on AD for my unix host, used a utility called
Ktutil and generated a keytab file from the account information. This I
loaded onto my unix host and used KTutil to load the keytab file into
/etc/keytab. After playing for a while I deleted this file, issued a
Kdestroy and tried to reconnect again to AD and was still able. It seems
this file isn't important for client SASL connections? Is this true or is
something being cached elsewhere on my unix host that holds the credentials?

2. Now loading a server side certificate authority on AD and attempting a
TLS start I observe the following:
    a. SASL auth doesn't work in this mode I assume because AD doesn't
support an EXTERNAL SASL mechanism?
    b. TLS with simple auth seems to work although I get a "decode error"
when the ldapsearch query returns, even though it connects on port 636,
authenticates and dumps my query successfully. I have NOT loaded the server
side CA cert PEM onto my client even though the debug seems to correctly
find and accept the CA cert anyway, is this correct? Do I need this cert for
server side auth only?
    c. Am I REQUIRED to have a client side cert for TLS to work with AD? If
I do a ZZ with ldapsearch the query fails, why?

Thanks alot!

Kind regards,

Andrew.