On Wed, 2012-07-18 at 16:30 -0400, David Warden wrote:
====== [root@wardentest3 sssd]# ldapsearch -H ldap://ad1.w2k.geneseo.edu -Y GSSAPI -N -b "dc=w2k,dc=geneseo,dc=edu" "(cn=mailuser)" dn SASL/GSSAPI authentication started SASL username: mailuser@W2K.GENESEO.EDU SASL SSF: 56 SASL data security layer installed.
Ah ha! So here's the real issue. First, please note that you performed this test against ldap:// NOT ldaps://. Also, this connection used "SASL SSF: 56", which has the same effect as my other comment in this thread. Presumably, your system defaults specify this value, or you have it set in the /etc/openldap.conf. (Or possibly the AD server itself mandates it. All are possible reasons for this happening).
So really what happened when you tried to connect to LDAPS with "SASL SSF: 56" is that it tried to encrypt the communication with two different encryption protocols simultaneously.
So in conclusion, this will work and be encrypted over port 389.