[
https://issues.apache.org/jira/browse/DIRSERVER-2352?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17408847#comment-17408847
]
Aaron S Dills commented on DIRSERVER-2352:
------------------------------------------
Error snippet:
2021-09-02 09:49:58,857 ERROR Unable to connect to [LDAP_SERVER]:389
org.apache.directory.api.ldap.model.exception.LdapAuthenticationException:
80090346: LdapErr: DSID-0C09058A, comment: AcceptSecurityContext error, data
80090346, v4563^@
at
org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:2028)
~[api-all-1.0.2.jar:1.0.2]
> LdapNetworkConnection fails bind(SaslGssApiRequest)
> ----------------------------------------------------
>
> Key: DIRSERVER-2352
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2352
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: kerberos, ldap
> Affects Versions: 1.0.2
> Environment: Fedora 33 5.12.12-200, AdoptOpenJDK 11.0.12.0.7 , Tomcat
> 9.0.45
> Reporter: Aaron S Dills
> Priority: Critical
>
> Microsoft introduced a new requirement on AD domain controllers found here:
> [https://support.microsoft.com/en-us/topic/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows-ef185fb8-00f7-167d-744c-f299a66fc00a]
>
> This has broken binding SaslGssApiRequest with an LdapNetworkConnection that
> has startTls. On our DC if I toggle the RegistryEntry
> "LdapEnforceChannelBinding" the bind(SaslGssApiRequest) works again.
> There is a new JNDI environment property that can be set to use channel
> binding:
> [https://bugs.openjdk.java.net/browse/JDK-8245527]
> We need to be able to set this.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org
