I'm using openldap, cyrus-sasl, heimdal, and openssl.
And apparently they are all working correctly.
I use the standard kerberos "kinit" tool to get my TGT, this is successful. I use the standard openldap "ldapsearch" tool to attempt to do a LDAP+GSSAPI over TLS (cert level "demand") search, and I get two errors.
The first error is an "inappropriate auth", which seems to come from openldap. The second error is "Cannot start kerberos signing/sealing when using TLS/SSL", which seems to come from GSSAPI-land.
Interesting facts:
- This fails against Windows 2003 AD.
Questions about why Microsoft AD is broken belong in a Microsoft forum.
- But succeeds against a BSD box running an openldap server.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/