Kerberos authentication to Active Directory with SSL enrcyption
Simo Sorce
simo at redhat.com
Sat Mar 8 16:01:18 EST 2014
On Sat, 2014-03-08 at 12:19 -0800, Russ Allbery wrote:
> "Markus Moeller" <huaraz at moeller.plus.com> writes:
>
> > I wonder if someone can point me to a way to achieve an ldaps connection
> > to Active Directory with Kerberos (or GSSAPI ).
>
> > SASL/GSSAPI seems broken and nobody seems to mind.
>
> Well, I do this all the time to our Active Directory server, so I know it
> works. Our experience is that you have to use TLS (which you appear to be
> doing), and you need to specify minssf=0 and maxssf=0 because Active
> Directory doesn't support a SASL privacy layer when TLS is in use. But it
> shouldn't require anything beyond that.
Indeed Active Directory support only one privacy layer, you have to
choose TLS or GSSAPI, can't do both.
However if you choose GSSAPI, Active Directory is a bit stubbornly
strict in the meaning of privacy vs confidentiality bits, so if you use
a library like cyrus-sasl you need to pass to it the "ad_compat" option,
or some Active Directory servers with stricter policies may refuse to
connect.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list