On Wed, 2012-07-18 at 16:37 -0400, David Warden wrote:
While my 40kb+ post with log messages waits for admin approval, it is with great shame (and some joy) that I report that I was able to resolve my issue by changing to not connect to AD over LDAP+SSL (port 636) and instead connect to normal unencrypted LDAP on port 389. I am not sure why that would have made a difference and I would prefer to do this over SSL so I'm going to keep investigating but it is strange that this fixed the problem.
David, 2 reasons why it may not work.
1. Windows Ad by default does not have SSL certs installed, so LDAPS is not usable unless you install certs.
2. Even when LDAPs is available, using GSSAPI auth usually implies using GSSAPI also for privacy (encryption). Windows does not support double encrypting channels (ie GSSAPI within SSL), so it would return an error.
If you want to use SSL for some reason (it is not necessary LDAP+GSSAPI is encrypted) then you need to tell SASL to turn off GSSAPI encryption.
Simo.