|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
From: Simo Sorce <simo@redhat.com> To: Russ Allbery <eagle@eyrie.org> In-Reply-To: <877g84l9ye.fsf@windlord.stanford.edu> Date: Sat, 08 Mar 2014 16:01:18 -0500 Message-ID: <1394312478.14651.199.camel@willson.li.ssimo.org> Mime-Version: 1.0 Cc: Markus Moeller <huaraz@moeller.plus.com>, kerberos@mit.edu Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: kerberos-bounces@mit.edu On Sat, 2014-03-08 at 12:19 -0800, Russ Allbery wrote: > "Markus Moeller" <huaraz@moeller.plus.com> writes: > > > I wonder if someone can point me to a way to achieve an ldaps connection > > to Active Directory with Kerberos (or GSSAPI ). > > > SASL/GSSAPI seems broken and nobody seems to mind. > > Well, I do this all the time to our Active Directory server, so I know it > works. Our experience is that you have to use TLS (which you appear to be > doing), and you need to specify minssf=0 and maxssf=0 because Active > Directory doesn't support a SASL privacy layer when TLS is in use. But it > shouldn't require anything beyond that. Indeed Active Directory support only one privacy layer, you have to choose TLS or GSSAPI, can't do both. However if you choose GSSAPI, Active Directory is a bit stubbornly strict in the meaning of privacy vs confidentiality bits, so if you use a library like cyrus-sasl you need to pass to it the "ad_compat" option, or some Active Directory servers with stricter policies may refuse to connect. Simo. -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |