[Samba] ldapsearch with samba4 (now a question about SASL and ldaps
Matthieu Patou
mat at samba.org
Mon Apr 25 08:14:47 MDT 2011
Hello Andrew,
>
> Update...
>
> I did get ldaps and -Z working, but I can't do it with SASL, I can't
> find docs that say, but is it possible that SASL (GSSAPI) and ldaps
> are not compatible?
>
What -Z is supposed to do ?
>
> ldapsearch -H ldaps://ldapserver.domain -Y GSSAPI
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
> additional info: SASL:[GSSAPI]: Sign or Seal are not allowed
> if TLS is used
>
> <snip>
> So the question is are SASL and ldaps not compatible and if that is
> the case which is better? I like GSSAPI because I don't need to store
> passwords on the system, but I'm not clear on how encrypted the data
> being transmitted is. I did a packet capture and I do see some data
> that doesn't look like clear text, but that's all I know for sure :)
>
Have a look at ldbsearch (our ldap like search tool).
Can you try ldbsearch -H ldaps://name_of_your_dc -k 1
It should work to do GSSAPI (kerberos) and ldaps, at least it works for me !
Can you also try ldbsearch -H ldaps://name_of_your_dc -U user_in_the_ad
--
Matthieu Patou
Samba Team http://samba.org
Private repo http://git.samba.org/?p=mat/samba.git;a=summary
More information about the samba
mailing list