8
ldapsearch -H <URL> -b <BASE> -s sub -D <USER> -x -w <PW>

works fine

kinit <USER>@<REALM>
ldapsearch -H <URL> -b <BASE> -s sub

fails with:

text: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1

kinit Administrator@<REALM>
ldapsearch -H <URL> -b <BASE> -s sub

works fine also

The usual googling hasn't revealed anything of interest. (There is the usual comments regarding time skew and using a userPrincipalName vs component name for -D, but that should be taken care of when using kinit.)

Any ideas?

dawud
  • 15,096
  • 3
  • 42
  • 61
No One in Particular
  • 181
  • 1
  • 2
  • 3

2 Answers2

5

I've found that specifying "-O maxssf=0" on the ldapsearch command line is necessary in order for GSSAPI AD searches to work properly. The following command works for me to search the AD global catalog via a SSL connection:

ldapsearch -LLL -O maxssf=0 -Y GSSAPI -H ldaps://ad.realm.local:3269 -b "dc=realm,dc=local" '(sAMAccountName=userid)'

Also, in order for Kerberos authentication to work with ldapsearch, DNS must be properly configured for reverse IP lookups. If not, you'll get a "cannot determine realm for numeric host address" error. If necessary, you can put the IP and hostname of your AD server in your hosts file to get it working.

Brian Showalter
  • 1,069
  • 9
  • 13
  • Administrator working tells me that Kerberos and DNS is configured correctly. – No One in Particular Sep 18 '13 at 13:11
  • OK, what platform are you running ldapsearch on? And what's in your /etc/ldap/ldap.conf file (or its equivalent)? – Brian Showalter Sep 18 '13 at 20:56
  • @BrianShowalter `-O maxssf=0` does not work these days because SASL would violate 4752 which Microsoft does. See [this](https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1015819) bug and my explanation to it. Additionally, forget about reverse DNS, Active Directory does not care about reverse DNS as well as Microsoft's Kerberos implementation. Everyone is advised to use `rdns = false` in his `krb5.conf`. – Michael-O May 03 '16 at 07:51
  • Still using Centos7 and AD through sssd. Applying the `-O maxssf=0` enabled my ldaps to regular port 636 connection to proceed! – bgStack15 Oct 16 '18 at 15:42
2

From the ldapsearch(1) manpage:

-Y mech
Specify the SASL mechanism to be used for authentication. If it's not specified, the program will choose the best mechanism the server knows.

For example:

ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=user

Assuming your /etc/gssapi_mech.conf looks something like:

# grep -v ^# /etc/gssapi_mech.conf
libgssapi_krb5.so.2             mechglue_internal_krb5_init
dawud
  • 15,096
  • 3
  • 42
  • 61
  • Why would the Administrator search work, but not the user search? They are both coming from the same box. It seems to me that the underlying GSSAPI mechanism would be the same in both cases. – No One in Particular Sep 17 '13 at 13:40
  • I don't know the restrictions that might be in place with regards to querying the AD, you might want to contact the system administrator to find out. – dawud Sep 17 '13 at 13:56