LDAP, SASL GSSAPI, and group membership, rebind fails

[Arran Cudbard-Bell]

> On 29 Sep 2016, at 23:13, Alan DeKok <aland at deployingradius.com> wrote:
> 
> On Sep 29, 2016, at 3:50 PM, Tom Carroll <Thomas.Carroll at pnnl.gov> wrote:
>> 
>> Alan -
>> 
>>> On 09/29/2016 12:39 PM, Alan DeKok wrote:
>>> Fix your LDAP server so that FreeRADIUS is allowed to search it.  Typically this is done by making a read-only admin account in LDAP, and using that with FreeRADIUS.
>> 
>> That doesn't explain it. Why does the server successfully bind and search for to find user DN, than fails to bind when searching for group DNs? See below.
> 
>  Ask your LDAP server. FreeRADIUS doesn't produce this message. Your LDAP server produces it. 

Or all the SASL/GSSAPI junk in between. Looks like the real complaint is that it's binding anonymously during a group check.

> Thu Sep 29 11:49:54 2016 : ERROR: (0) files:   Bind with (anonymous) to ldap://ad1.example.org:389failed: Strong(er) authentication required
> Thu Sep 29 11:49:54 2016 : ERROR: (0) files:   Server said: SASL:[GSSAPI]: Sign or Seal are required..

That's probably the text representation of a libldap error, and it's complaining because it thinks an anonymous bind was attempted, even though during the SASL conversation an identity was provided...

Can the OP open an issue on GitHub, with their LDAP config, and we'll try and figure out where the issue lies.

If it's possible to do a packet capture without StartTLS or SSL that'd also be useful to include.

Guessing the LDAP server in this case is AD, so even if it is a user configuration issue, it'd be good to figure out precisely what the issue is so we can include it in the documentation.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2