On Wed, 2012-07-18 at 16:30 -0400, David Warden wrote:
[root@wardentest3 sssd]# ldapsearch -H ldap://ad1.w2k.geneseo.edu
GSSAPI -N -b "dc=w2k,dc=geneseo,dc=edu" "(cn=mailuser)" dn
SASL/GSSAPI authentication started
SASL username: mailuser(a)W2K.GENESEO.EDU
SASL SSF: 56
SASL data security layer installed.
Ah ha! So here's the real issue. First, please note that you performed
this test against ldap:// NOT ldaps://. Also, this connection used "SASL
SSF: 56", which has the same effect as my other comment in this thread.
Presumably, your system defaults specify this value, or you have it set
in the /etc/openldap.conf. (Or possibly the AD server itself mandates
it. All are possible reasons for this happening).
So really what happened when you tried to connect to LDAPS with "SASL
SSF: 56" is that it tried to encrypt the communication with two
different encryption protocols simultaneously.
So in conclusion, this will work and be encrypted over port 389.