[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Cannot start kerberos signing/sealing when using TLS/SSL



Jeremiah Martell wrote:
I'm using openldap, cyrus-sasl, heimdal, and openssl.

And apparently they are all working correctly.

I use the standard kerberos "kinit" tool to get my TGT, this is successful.
I use the standard openldap "ldapsearch" tool to attempt to do a
LDAP+GSSAPI over TLS (cert level "demand") search, and I get two
errors.

The first error is an "inappropriate auth", which seems to come from openldap.
The second error is "Cannot start kerberos signing/sealing when using
TLS/SSL", which seems to come from GSSAPI-land.

Interesting facts:

- This fails against Windows 2003 AD.

Questions about why Microsoft AD is broken belong in a Microsoft forum.

- But succeeds against a BSD box running an openldap server.

-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/