First, thank you Simo and Stephen for your assistance and patience. I really appreciate
On Jul 18, 2012, at 5:52 PM, Simo Sorce wrote:
On Wed, 2012-07-18 at 16:37 -0400, David Warden wrote:
> While my 40kb+ post with log messages waits for admin approval, it is
> with great shame (and some joy) that I report that I was able to
> resolve my issue by changing to not connect to AD over LDAP+SSL (port
> 636) and instead connect to normal unencrypted LDAP on port 389. I am
> not sure why that would have made a difference and I would prefer to
> do this over SSL so I'm going to keep investigating but it is strange
> that this fixed the problem.
David, 2 reasons why it may not work.
1. Windows Ad by default does not have SSL certs installed, so LDAPS is
not usable unless you install certs.
We have installed certs on all our AD controllers, mostly so we could do password change
operations over LDAP.
2. Even when LDAPs is available, using GSSAPI auth usually implies
GSSAPI also for privacy (encryption). Windows does not support double
encrypting channels (ie GSSAPI within SSL), so it would return an error.
If you want to use SSL for some reason (it is not necessary LDAP+GSSAPI
is encrypted) then you need to tell SASL to turn off GSSAPI encryption.
I was unaware/confused about the privacy aspect of GSSAPI auth. Both your answer and
Stephen's have been very enlightening! Thanks again. And thank you for your work on
Simo Sorce * Red Hat, Inc * New York
sssd-users mailing list