Hello,
I have been playing with openldap and MS active directory over the past
couple of days trying to figure out what will and won't work when
connecting SASL and TLS connections from a unix client such as ldapsearch
to active directory. I have successfully compiled the Openldap 2.0.23
libraries with openSSL 0.96c, MIT kerb5 1.2.3, Cyrus SASL 1.5 and tested
connecting against AD to see what comes back.
I successfully get a GSSAPI/kerb5 connection working to AD after I use
Kinit to get the TGT, however I now have a few questions that I hope
someone can enlighten me with answers to:
1. I made a user account on AD for my unix host, used a utility called
Ktutil and generated a keytab file from the account information. This I
loaded onto my unix host and used KTutil to load the keytab file into
/etc/keytab. After playing for a while I deleted this file, issued a
Kdestroy and tried to reconnect again to AD and was still able. It seems
this file isn't important for client SASL connections? Is this true or is
something being cached elsewhere on my unix host that holds the
credentials?
b. TLS with simple auth seems to work although I get a "decode error"
when the ldapsearch query returns, even though it connects on port 636,
authenticates and dumps my query successfully. I have NOT loaded the
server side CA cert PEM onto my client even though the debug seems to
correctly find and accept the CA cert anyway, is this correct? Do I need
this cert for server side auth only?