[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: GSSAPI+kerberos5+TLS to Active Directory
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of andrew hall
> Hello,
>
> I have been playing with openldap and MS active directory over the past
> couple of days trying to figure out what will and won't work when
> connecting
> SASL and TLS connections from a unix client such as ldapsearch to active
> directory. I have successfully compiled the Openldap 2.0.23 libraries with
> openSSL 0.96c, MIT kerb5 1.2.3, Cyrus SASL 1.5 and tested
> connecting against
> AD to see what comes back.
>
> I successfully get a GSSAPI/kerb5 connection working to AD after
> I use Kinit
> to get the TGT, however I now have a few questions that I hope someone can
> enlighten me with answers to:
>
> 1. I made a user account on AD for my unix host, used a utility called
> Ktutil and generated a keytab file from the account information. This I
> loaded onto my unix host and used KTutil to load the keytab file into
> /etc/keytab. After playing for a while I deleted this file, issued a
> Kdestroy and tried to reconnect again to AD and was still able. It seems
> this file isn't important for client SASL connections? Is this true or is
> something being cached elsewhere on my unix host that holds the
> credentials?
Keytabs are only used by Kerberized servers, not for clients.
>
> 2. Now loading a server side certificate authority on AD and attempting a
> TLS start I observe the following:
> a. SASL auth doesn't work in this mode I assume because AD doesn't
> support an EXTERNAL SASL mechanism?
Your guess is agood as anyone's when it comes to Microsoft. You might try
querying AD's rootDSE to see what supportedSASLMechanisms it advertises,
but as I recall they only do GSSAPI and SPNEGO.
> b. TLS with simple auth seems to work although I get a "decode error"
> when the ldapsearch query returns, even though it connects on port 636,
> authenticates and dumps my query successfully. I have NOT loaded
> the server
> side CA cert PEM onto my client even though the debug seems to correctly
> find and accept the CA cert anyway, is this correct? Do I need
> this cert for
> server side auth only?
Not sure what this is about. In general, the client needs access to the
server's CA cert to verify the server's identity.
> c. Am I REQUIRED to have a client side cert for TLS to work
> with AD?
Client-side certs are always optional. I think for AD they are always
ignored.
> If
> I do a ZZ with ldapsearch the query fails, why?
There's a difference between StartTLS (which the -ZZ options use) and LDAPS
(which is what you generally use on port 636). This is certainly a
Frequently Asked Question and has been answered before. Suffice to say, the
two are mutually exclusive.
>
> Thanks alot!
>
> Kind regards,
>
> Andrew.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support