TLS + GSSAPI ldap binds in 4.0.0alpha17-GIT-2d23dff
Lukasz Zalewski
lukas at eecs.qmul.ac.uk
Mon Aug 15 14:42:52 MDT 2011
On 15/08/2011 12:44, Stephen Gallagher wrote:
> On Mon, 2011-08-15 at 10:40 +0100, Lukasz Zalewski wrote:
>> Hi all,
>> After the update to alpha17 (from alpha12) we have not been able to
>> perform GSSAPI + TLS binds against the ldap server,
>> i.e. after successful kinit the following:
>> ldapsearch -ZZ -Y GSSAPI -h my.domain -b "dc=my,dc=domain" cn=somecn
>> produces error message:
>> SASL/GSSAPI authentication started
>> ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
>> additional info: SASL:[GSSAPI]: Sign or Seal are not allowed if TLS is used
>>
>> TLS without GSSAPI and GSSAPI without TLS binds work fine. Has anyone
>> experienced this issue? Any help would be apreciated :)
>>
>> Many thanks
>>
>> Luk
>
> Why are you trying to do GSSAPI+TLS? It's unnecessary overhead. If
> you're doing a GSSAPI bind, then the GSSAPI tunnel has already encrypted
> all of the communications. You're essentially just asking it to
> re-encrypt everything a second time.
Hi Stephen,
Can i assume that all of the data transmitted is also encrypted in that
tunnel?
Thanks
Luk
More information about the samba-technical
mailing list