[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: GSSAPI+kerberos5+TLS to Active Directory

To: andrew hall <temp01@bluereef.com.au>, openldap-software@OpenLDAP.org
Subject: Re: GSSAPI+kerberos5+TLS to Active Directory
From: Norbert Klasen <norbert.klasen@daasi.de>
Date: Sat, 09 Mar 2002 17:41:48 +0100
Content-disposition: inline
In-reply-to: <00c201c1c723$05cf2990$2e01010a@bluereef.local>
References: <00c201c1c723$05cf2990$2e01010a@bluereef.local>

--On Samstag, 9. März 2002 15:29 +1100 andrew hall <temp01@bluereef.com.au> wrote:

2. Now loading a server side certificate authority on AD and attempting a

 >> TLS start I observe the following:
 >>     a. SASL auth doesn't work in this mode I assume because AD doesn't
 > >support an EXTERNAL SASL mechanism?

 >Correct, no SASL EXTERNAL. However, SASL GSSAPI works, but you need to
 >disable the privacy and intergity protecion on the SASL layer
(sasl_ssf=0).

 Disabling privacy and integrity protection? Can I do this via the -O
switch  with Ldapsearch, or is this a compile-time option?


-O maxssf=0 or SASL_SECPROPS in ldap.conf

--
Norbert Klasen, Dipl.-Inform.
DAASI International GmbH                 phone: +49 7071 29 70336
Wilhelmstr. 106                          fax:   +49 7071 29 5114
72074 Tübingen                           email: norbert.klasen@daasi.de
Germany                                  web:   http://www.daasi.de

References:
- Re: GSSAPI+kerberos5+TLS to Active Directory
  - From: "andrew hall" <temp01@bluereef.com.au>

Prev by Date: Re: slurpd.replog truncation?
Next by Date: supported types
Index(es):
- Chronological
- Thread