Thanks,
Kris
On Tue, Oct 7, 2014 at 12:11 PM, Kristof Takacs <kristof.takacs@gmail.com
<mailto:kristof.takacs@gmail.com>> wrote:
Thanks for letting me know that it's an ok use case.
The back end is AD, but it is a "black box" to me. I have access, but the
event viewer is empty. It does work if I use Kerberos only or TLS with
simple bind through. Is there anything you can suggest that I can do on
the server side to show me what it may be complaining about?
Thanks for your help!
Kris
On Tue, Oct 7, 2014 at 10:31 AM, Howard Chu <hyc@symas.com
<mailto:hyc@symas.com>> wrote:
Kristof Takacs wrote:
Is the usecase of SASL authentication with Kerberos to the LDAP
server and TLS
to the LDAP server for all other communication a valid one?
Certainly it is valid, and has worked in the past. Just keep in mind
that what you've described here is SASL/GSSAPI + TLS on the same
session. Not all LDAP servers support that, M$ AD is known to have
failed on that in the past. It has been tested to work fine in
OpenLDAP before.
I have not personally tested with the version of Cyrus SASL and
Heimdal Kerberos you mentioned, so no comment on the current state of
things.
Thanks,
Kris
On Mon, Oct 6, 2014 at 2:27 PM, Dan White <dwhite@olp.net
<mailto:dwhite@olp.net>
<mailto:dwhite@olp.net <mailto:dwhite@olp.net>>> wrote:
On 10/06/14 13:24 -0500, Dan White wrote:
There is a known bug in Cyrus SASL which triggers this
problem:
https://bugzilla.cyrusimap.____org/show_bug.cgi?id=3480
<https://bugzilla.cyrusimap.__org/show_bug.cgi?id=3480
<https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480>>
If adding "-O maxssf=0" to your ldapsearch command, when
using both
Kerberos and TLS, works then that's likely the culprit.
Apparently I can't read my own bug reports. This may or may
not be your
issue.
--
Dan White