You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by "Aaron S Dills (Jira)" <ji...@apache.org> on 2021/09/02 13:53:00 UTC

[jira] [Commented] (DIRSERVER-2352) LdapNetworkConnection fails bind(SaslGssApiRequest)

    [ https://issues.apache.org/jira/browse/DIRSERVER-2352?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17408847#comment-17408847 ] 

Aaron S Dills commented on DIRSERVER-2352:
------------------------------------------

Error snippet: 

2021-09-02 09:49:58,857 ERROR  Unable to connect to [LDAP_SERVER]:389 
org.apache.directory.api.ldap.model.exception.LdapAuthenticationException: 80090346: LdapErr: DSID-0C09058A, comment: AcceptSecurityContext error, data 80090346, v4563^@
 at org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:2028) ~[api-all-1.0.2.jar:1.0.2]

> LdapNetworkConnection fails bind(SaslGssApiRequest) 
> ----------------------------------------------------
>
>                 Key: DIRSERVER-2352
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2352
>             Project: Directory ApacheDS
>          Issue Type: Bug
>          Components: kerberos, ldap
>    Affects Versions: 1.0.2
>         Environment: Fedora 33 5.12.12-200, AdoptOpenJDK 11.0.12.0.7 , Tomcat 9.0.45 
>            Reporter: Aaron S Dills
>            Priority: Critical
>
> Microsoft introduced a new requirement on AD domain controllers found here:
> [https://support.microsoft.com/en-us/topic/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows-ef185fb8-00f7-167d-744c-f299a66fc00a]
>  
> This has broken binding SaslGssApiRequest with an LdapNetworkConnection that has startTls. On our DC if I toggle the RegistryEntry "LdapEnforceChannelBinding" the bind(SaslGssApiRequest) works again.
> There is a new JNDI environment property that can be set to use channel binding: 
> [https://bugs.openjdk.java.net/browse/JDK-8245527] 
> We need to be able to set this.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org