[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: GSSAPI+kerberos5+TLS to Active Directory





--On Freitag, 8. März 2002 19:34 +1100 andrew hall <temp01@bluereef.com.au> wrote:

Hello,

I have been playing with openldap and MS active directory over the past
couple of days trying to figure out what will and won't work when
connecting SASL and TLS connections from a unix client such as ldapsearch
to active directory. I have successfully compiled the Openldap 2.0.23
libraries with openSSL 0.96c, MIT kerb5 1.2.3, Cyrus SASL 1.5 and tested
connecting against AD to see what comes back.

I successfully get a GSSAPI/kerb5 connection working to AD after I use
Kinit to get the TGT, however I now have a few questions that I hope
someone can enlighten me with answers to:

1. I made a user account on AD for my unix host, used a utility called
Ktutil and generated a keytab file from the account information. This I
loaded onto my unix host and used KTutil to load the keytab file into
/etc/keytab. After playing for a while I deleted this file, issued a
Kdestroy and tried to reconnect again to AD and was still able. It seems
this file isn't important for client SASL connections? Is this true or is
something being cached elsewhere on my unix host that holds the
credentials?

You only need these keytab entries if you want to run a GSSAPI-enables server of some kind on your unix host.


2. Now loading a server side certificate authority on AD and attempting a
TLS start I observe the following:
    a. SASL auth doesn't work in this mode I assume because AD doesn't
support an EXTERNAL SASL mechanism?

Correct, no SASL EXTERNAL. However, SASL GSSAPI works, but you need to disable the privacy and intergity protecion on the SASL layer (sasl_ssf=0).


    b. TLS with simple auth seems to work although I get a "decode error"
when the ldapsearch query returns, even though it connects on port 636,
authenticates and dumps my query successfully. I have NOT loaded the
server side CA cert PEM onto my client even though the debug seems to
correctly find and accept the CA cert anyway, is this correct? Do I need
this cert for server side auth only?

Probably an issue with maxbufsize or sockbuf_max_incoming. Try setting a size limit (-z 1).


    c. Am I REQUIRED to have a client side cert for TLS to work with AD?
If I do a ZZ with ldapsearch the query fails, why?

No need for a client cert. Remeber that AD does not support SASL EXTERNAL, so it wouldn't be of any use.
-ZZ requires the StartTLS extop to succeed. This is not implemented by AD. AD just supports LDAP over SSL.


--
Norbert Klasen, Dipl.-Inform.
DAASI International GmbH                 phone: +49 7071 29 70336
Wilhelmstr. 106                          fax:   +49 7071 29 5114
72074 Tübingen                           email: norbert.klasen@daasi.de
Germany                                  web:   http://www.daasi.de