Kristof Takacs wrote:
Is the usecase of SASL authentication with Kerberos to the LDAP server and TLS to the LDAP server for all other communication a valid one?
Certainly it is valid, and has worked in the past. Just keep in mind that what you've described here is SASL/GSSAPI + TLS on the same session. Not all LDAP servers support that, M$ AD is known to have failed on that in the past. It has been tested to work fine in OpenLDAP before.
I have not personally tested with the version of Cyrus SASL and Heimdal Kerberos you mentioned, so no comment on the current state of things.
Thanks, Kris On Mon, Oct 6, 2014 at 2:27 PM, Dan White <dwhite@olp.net <mailto:dwhite@olp.net>> wrote: On 10/06/14 13:24 -0500, Dan White wrote: There is a known bug in Cyrus SASL which triggers this problem: https://bugzilla.cyrusimap.__org/show_bug.cgi?id=3480 <https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480> If adding "-O maxssf=0" to your ldapsearch command, when using both Kerberos and TLS, works then that's likely the culprit. Apparently I can't read my own bug reports. This may or may not be your issue. -- Dan White
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/