On Sat, 2014-03-08 at 12:19 -0800, Russ Allbery wrote: > "Markus Moeller" <[email protected]> writes: > > > I wonder if someone can point me to a way to achieve an ldaps connection > > to Active Directory with Kerberos (or GSSAPI ). > > > SASL/GSSAPI seems broken and nobody seems to mind. > > Well, I do this all the time to our Active Directory server, so I know it > works. Our experience is that you have to use TLS (which you appear to be > doing), and you need to specify minssf=0 and maxssf=0 because Active > Directory doesn't support a SASL privacy layer when TLS is in use. But it > shouldn't require anything beyond that.
Indeed Active Directory support only one privacy layer, you have to choose TLS or GSSAPI, can't do both. However if you choose GSSAPI, Active Directory is a bit stubbornly strict in the meaning of privacy vs confidentiality bits, so if you use a library like cyrus-sasl you need to pass to it the "ad_compat" option, or some Active Directory servers with stricter policies may refuse to connect. Simo. -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
