[35843] in Kerberos
Re: Kerberos authentication to Active Directory with SSL enrcyption
daemon@ATHENA.MIT.EDU (Markus Moeller)
Sat Mar 8 19:28:58 2014
Message-ID: <F6E6D04297464E40BB5732BB68AB3432@Ultrabook1>
From: "Markus Moeller" <huaraz@moeller.plus.com>
To: "Simo Sorce" <simo@redhat.com>, "Russ Allbery" <eagle@eyrie.org>
In-Reply-To: <1394312478.14651.199.camel@willson.li.ssimo.org>
Date: Sun, 9 Mar 2014 00:28:32 -0000
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi Simo, Hi Russ,
Thank you for your replies. There was a change in the sasl libraries which
seems to have broken it. I posted the below to the sasl mailing list with
no response. I know it used to work, but not anymore. Which versions do you
use ?
I am running OpenSuse 12.3 with openldap 2.4.33 and cyrus-sasl 1.2.25 and
observe the following:
This authenticates the user and encrypts the traffic via the gssapi ( This
works)
ldapsearch -H ldap://w2k3r2.win2003r2.home -Omaxssf=56 -s sub -b
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
This should authenticate the user but not encrypt the traffic (This fails)
ldapsearch -H ldap://w2k3r2.win2003r2.home -Omaxssf=0 -s sub -b
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: A required
input parameter could not be read (Unknown error)
This should authenticate the user with gssapi but encrypt the traffic with
SSL (This fails)
ldapsearch -H ldaps://w2k3r2.win2003r2.home -Omaxssf=0 -s sub -b
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: A required
input parameter could not be read (Unknown error)
This should authenticate the user with gssapi but encrypt the traffic with
SSL (This fails)
ldapsearch -H ldaps://w2k3r2.win2003r2.home -Omaxssf=56 -s sub -b
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: A required
input parameter could not be read (Unknown error)
Applying the “fix” from Bug 3480
(https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480) make all 4 cases
work. May I ask why the fix is not correct/applied. It really limits
openldap/cyrus-sasl and makes it useless for many environments with Active
Directory and enforced security (i.e. SSL)
Thank you
Markus
-----Original Message-----
From: Simo Sorce
Sent: Saturday, March 08, 2014 9:01 PM
To: Russ Allbery
Cc: Markus Moeller ; kerberos@mit.edu
Subject: Re: Kerberos authentication to Active Directory with SSL enrcyption
On Sat, 2014-03-08 at 12:19 -0800, Russ Allbery wrote:
> "Markus Moeller" <huaraz@moeller.plus.com> writes:
>
> > I wonder if someone can point me to a way to achieve an ldaps connection
> > to Active Directory with Kerberos (or GSSAPI ).
>
> > SASL/GSSAPI seems broken and nobody seems to mind.
>
> Well, I do this all the time to our Active Directory server, so I know it
> works. Our experience is that you have to use TLS (which you appear to be
> doing), and you need to specify minssf=0 and maxssf=0 because Active
> Directory doesn't support a SASL privacy layer when TLS is in use. But it
> shouldn't require anything beyond that.
Indeed Active Directory support only one privacy layer, you have to
choose TLS or GSSAPI, can't do both.
However if you choose GSSAPI, Active Directory is a bit stubbornly
strict in the meaning of privacy vs confidentiality bits, so if you use
a library like cyrus-sasl you need to pass to it the "ad_compat" option,
or some Active Directory servers with stricter policies may refuse to
connect.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
