[Date Prev][Date Next] [Chronological] [Thread] [Top]

sasl binding with ssl encryption

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: sasl binding with ssl encryption
From: "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>
Date: Mon, 19 Oct 2009 10:35:04 +0800
Accept-language: en-US
Acceptlanguage: en-US
Content-language: en-US
Thread-index: AcpQZZI21tsYOG47TPm9rvkLjgW0aw==
Thread-topic: sasl binding with ssl encryption

Hi, all: 

My LDAP SASL binding is successful, but when I want to channel the traffic over SSL, it fails: 
=====================================================================
qxu@durian(pts/0):/etc[201]$ kinit XCTEST100@XCIPV6.COM
Password for XCTEST100@XCIPV6.COM:
...
qxu@durian(pts/0):/etc[203]$ klist
Ticket cache: FILE:/tmp/krb5cc_20153
Default principal: XCTEST100@XCIPV6.COM

Valid starting     Expires            Service principal
10/19/09 10:31:28  10/19/09 20:28:25  krbtgt/XCIPV6.COM@XCIPV6.COM
        renew until 10/20/09 10:31:28
...
qxu@durian(pts/0):/etc[204]$ ldapsearch -Y GSSAPI -H ldap://13.198.97.42:389 -b dc=xcipv6,dc=com -s sub -LLL cn=XCTEST100 mail
SASL/GSSAPI authentication started
SASL username: XCTEST100@XCIPV6.COM
SASL SSF: 56
SASL installing layers
dn: CN=XCTEST100,CN=Users,DC=XCIPV6,DC=COM
mail: XCTEST100@xcipv6.com

# refldap://ForestDnsZones.XCIPV6.COM/DC=ForestDnsZones,DC=XCIPV6,DC=COM

# refldap://DomainDnsZones.XCIPV6.COM/DC=DomainDnsZones,DC=XCIPV6,DC=COM

# refldap://XCIPV6.COM/CN=Configuration,DC=XCIPV6,DC=COM
...
qxu@durian(pts/0):/etc[205]$ ldapsearch -Y GSSAPI -H ldaps://13.198.97.42:636 -b dc=xcipv6,dc=com -s sub -LLL cn=XCTEST100 mail
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
        additional info: 00002029: LdapErr: DSID-0C09048A, comment: Cannot bind
using sign/seal on a connection on which TLS or SSL is in effect, data 0, v1771
...
qxu@durian(pts/0):/etc[206]$ ldapsearch -Y GSSAPI  -O maxssf=0 -H ldaps://13.198.97.42:636 -b dc=xcipv6,dc=com -s sub -LLL cn=XCTEST100 mail
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
        additional info: 00002029: LdapErr: DSID-0C09048A, comment: Cannot bind
using sign/seal on a connection on which TLS or SSL is in effect, data 0, v1771
=====================================================================
Someone has mentioned that in order to do sasl binding over ssl, the security property " -O maxssf=0" must be set. However, this still fails.

Any suggestions?

Thanks,
Xu Qiang

Follow-Ups:
- RE: sasl binding with ssl encryption
  - From: "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>

Prev by Date: how difference x509 attribute and extensions
Next by Date: RE: sasl binding with ssl encryption
Index(es):
- Chronological
- Thread