[35840] in Kerberos
Re: Kerberos authentication to Active Directory with SSL enrcyption
daemon@ATHENA.MIT.EDU (Russ Allbery)
Sat Mar 8 15:19:55 2014
From: Russ Allbery <eagle@eyrie.org>
To: "Markus Moeller" <huaraz@moeller.plus.com>
In-Reply-To: <lff59c$d51$1@ger.gmane.org> (Markus Moeller's message of "Sat, 8
Mar 2014 13:17:42 -0000")
Date: Sat, 08 Mar 2014 12:19:37 -0800
Message-ID: <877g84l9ye.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
"Markus Moeller" <huaraz@moeller.plus.com> writes:
> I wonder if someone can point me to a way to achieve an ldaps connection
> to Active Directory with Kerberos (or GSSAPI ).
> SASL/GSSAPI seems broken and nobody seems to mind.
Well, I do this all the time to our Active Directory server, so I know it
works. Our experience is that you have to use TLS (which you appear to be
doing), and you need to specify minssf=0 and maxssf=0 because Active
Directory doesn't support a SASL privacy layer when TLS is in use. But it
shouldn't require anything beyond that.
--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
