[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: sasl binding with ssl encryption



> -----Original Message-----
> From: 
> openldap-technical-bounces+qiang.xu=fujixerox.com@OpenLDAP.org
>  
> [mailto:openldap-technical-bounces+qiang.xu=fujixerox.com@Open
> LDAP.org] On Behalf Of Xu, Qiang (FXSGSC)
> Sent: Monday, October 19, 2009 10:35 AM
> To: openldap-technical@openldap.org
> Subject: sasl binding with ssl encryption
> 
> Hi, all: 
> 
> My LDAP SASL binding is successful, but when I want to 
> channel the traffic over SSL, it fails: 
> =====================================================================
> qxu@durian(pts/0):/etc[201]$ kinit XCTEST100@XCIPV6.COM 
> Password for XCTEST100@XCIPV6.COM:
> ...
> qxu@durian(pts/0):/etc[203]$ klist
> Ticket cache: FILE:/tmp/krb5cc_20153
> Default principal: XCTEST100@XCIPV6.COM
> 
> Valid starting     Expires            Service principal
> 10/19/09 10:31:28  10/19/09 20:28:25  krbtgt/XCIPV6.COM@XCIPV6.COM
>         renew until 10/20/09 10:31:28
> ...
> qxu@durian(pts/0):/etc[204]$ ldapsearch -Y GSSAPI -H 
> ldap://13.198.97.42:389 -b dc=xcipv6,dc=com -s sub -LLL 
> cn=XCTEST100 mail 
> SASL/GSSAPI authentication started 
> SASL username: XCTEST100@XCIPV6.COM 
> SASL SSF: 56 SASL installing layers
> dn: CN=XCTEST100,CN=Users,DC=XCIPV6,DC=COM
> mail: XCTEST100@xcipv6.com
> 
> # 
> refldap://ForestDnsZones.XCIPV6.COM/DC=ForestDnsZones,DC=XCIPV6,DC=COM
> 
> # 
> refldap://DomainDnsZones.XCIPV6.COM/DC=DomainDnsZones,DC=XCIPV6,DC=COM
> 
> # refldap://XCIPV6.COM/CN=Configuration,DC=XCIPV6,DC=COM
> ...
> qxu@durian(pts/0):/etc[205]$ ldapsearch -Y GSSAPI -H 
> ldaps://13.198.97.42:636 -b dc=xcipv6,dc=com -s sub -LLL 
> cn=XCTEST100 mail 
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
>         additional info: 00002029: LdapErr: DSID-0C09048A, 
> comment: Cannot bind using sign/seal on a connection on which 
> TLS or SSL is in effect, data 0, v1771 
> ...
> qxu@durian(pts/0):/etc[206]$ ldapsearch -Y GSSAPI  -O 
> maxssf=0 -H ldaps://13.198.97.42:636 -b dc=xcipv6,dc=com -s 
> sub -LLL cn=XCTEST100 mail 
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
>         additional info: 00002029: LdapErr: DSID-0C09048A, 
> comment: Cannot bind using sign/seal on a connection on which 
> TLS or SSL is in effect, data 0, v1771 
> =====================================================================
> Someone has mentioned that in order to do sasl binding over 
> ssl, the security property " -O maxssf=0" must be set. 
> However, this still fails.

Just want to let you guys know that the failure is due to a defect of Win2008 server: 
http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/44b0ee8f-bb22-4e1c-8de0-21578d204cfc
http://support.microsoft.com/kb/957072

After the hotfix is applied, the search is successful: 
=====================================================================
qxu@durian(pts/0):/etc[243]$ ldapsearch -Y GSSAPI -H ldaps://13.198.97.42:636 -b dc=xcipv6,dc=com -s sub -LLL cn=XCTEST100 mail
SASL/GSSAPI authentication started
SASL username: XCTEST100@XCIPV6.COM
SASL SSF: 56
SASL installing layers
ldap_result: Can't contact LDAP server (-1)
...
qxu@durian(pts/0):/etc[244]$ ldapsearch -Y GSSAPI -O maxssf=0 -H ldaps://13.198.97.42:636 -b dc=xcipv6,dc=com -s sub -LLL cn=XCTEST100 mail
SASL/GSSAPI authentication started
SASL username: XCTEST100@XCIPV6.COM
SASL SSF: 0
dn: CN=XCTEST100,CN=Users,DC=XCIPV6,DC=COM
mail: XCTEST100@xcipv6.com

# refldaps://ForestDnsZones.XCIPV6.COM/DC=ForestDnsZones,DC=XCIPV6,DC=COM

# refldaps://DomainDnsZones.XCIPV6.COM/DC=DomainDnsZones,DC=XCIPV6,DC=COM

# refldaps://XCIPV6.COM/CN=Configuration,DC=XCIPV6,DC=COM
=====================================================================
Still, when maxssf is not set to 0, the error msg is quite confusing. In case of Win2003 Server, the error msg is "Inappropriate authentication (48)", which is much more suggestive.

Regards,
Xu Qiang