On Wed, 2012-07-18 at 16:37 -0400, David Warden wrote:
While my 40kb+ post with log messages waits for admin approval, it is
with great shame (and some joy) that I report that I was able to
resolve my issue by changing to not connect to AD over LDAP+SSL (port
636) and instead connect to normal unencrypted LDAP on port 389. I am
not sure why that would have made a difference and I would prefer to
do this over SSL so I'm going to keep investigating but it is strange
that this fixed the problem.
David, 2 reasons why it may not work.
1. Windows Ad by default does not have SSL certs installed, so LDAPS is
not usable unless you install certs.
2. Even when LDAPs is available, using GSSAPI auth usually implies using
GSSAPI also for privacy (encryption). Windows does not support double
encrypting channels (ie GSSAPI within SSL), so it would return an error.
If you want to use SSL for some reason (it is not necessary LDAP+GSSAPI
is encrypted) then you need to tell SASL to turn off GSSAPI encryption.
Simo Sorce * Red Hat, Inc * New York