Kerberos authentication to Active Directory with SSL enrcyption

Markus Moeller huaraz at moeller.plus.com
Sat Mar 8 19:28:32 EST 2014 

Hi Simo, Hi Russ,

Thank you for your replies. There was a change in the sasl libraries which 
seems to have broken it.  I posted the below to the sasl mailing list with 
no response. I know it used to work, but not anymore. Which versions do you 
use ?


I am running OpenSuse 12.3 with openldap 2.4.33 and cyrus-sasl 1.2.25 and 
observe the following:

This authenticates the user and encrypts the traffic via the gssapi ( This 
works)

   ldapsearch -H ldap://w2k3r2.win2003r2.home  -Omaxssf=56 -s sub -b 
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"


This should authenticate the user but not encrypt the traffic (This fails)

ldapsearch -H ldap://w2k3r2.win2003r2.home  -Omaxssf=0 -s sub -b 
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: A required 
input parameter could not be read (Unknown error)


This should authenticate the user with gssapi but encrypt the traffic with 
SSL (This fails)

ldapsearch -H ldaps://w2k3r2.win2003r2.home  -Omaxssf=0 -s sub -b 
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: A required 
input parameter could not be read (Unknown error)


This should authenticate the user with gssapi but encrypt the traffic with 
SSL (This fails)

ldapsearch -H ldaps://w2k3r2.win2003r2.home  -Omaxssf=56 -s sub -b 
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: A required 
input parameter could not be read (Unknown error)

Applying the “fix” from Bug 3480 
(https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480)  make all 4 cases 
work.  May I ask why the fix is not correct/applied.   It really limits 
openldap/cyrus-sasl and makes it useless for many environments with Active 
Directory and enforced security (i.e. SSL)

Thank you
Markus

-----Original Message----- 
From: Simo Sorce
Sent: Saturday, March 08, 2014 9:01 PM
To: Russ Allbery
Cc: Markus Moeller ; kerberos at mit.edu
Subject: Re: Kerberos authentication to Active Directory with SSL enrcyption

On Sat, 2014-03-08 at 12:19 -0800, Russ Allbery wrote:
> "Markus Moeller" <huaraz at moeller.plus.com> writes:
>
> > I wonder if someone can point me to a way to achieve an ldaps connection
> > to Active Directory with Kerberos (or GSSAPI ).
>
> >    SASL/GSSAPI seems broken and nobody seems to mind.
>
> Well, I do this all the time to our Active Directory server, so I know it
> works.  Our experience is that you have to use TLS (which you appear to be
> doing), and you need to specify minssf=0 and maxssf=0 because Active
> Directory doesn't support a SASL privacy layer when TLS is in use.  But it
> shouldn't require anything beyond that.

Indeed Active Directory support only one privacy layer, you have to
choose TLS or GSSAPI, can't do both.

However if you choose GSSAPI, Active Directory is a bit stubbornly
strict in the meaning of privacy vs confidentiality bits, so if you use
a library like cyrus-sasl you need to pass to it the "ad_compat" option,
or some Active Directory servers with stricter policies may refuse to
connect.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Kerberos mailing list