I wonder if Microsoft changed the behaviour since early this year? I've seen mailing list posts stating that a simple ldapsearch with gssapi would succeed, even with the server enforcing rules on signing enabled, but still log the 2889 event. But I don't see that now.
This works and does not produce the 2889 event on the server:
$ ldapsearch -H ldap://server1.ad1.example.com -Y GSSAPI -b '' -s base > /dev/null
SASL/GSSAPI authentication started
SASL username: <email address hidden>
SASL SSF: 56
SASL data security layer installed.
If I set maxssf to 0, then it fails and *does* produce the 2889 event on the server:
$ ldapsearch -O maxssf=0 -H ldap://server1.ad1.example.com -Y GSSAPI -b '' -s base > /dev/null
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Strong(er) authentication required (8)
additional info: 00002028: LdapErr: DSID-0C090266, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4563
Event:
The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.
Client IP address:
10.51.0.1:49036
Identity the client attempted to authenticate as:
AD1\john
Binding Type:
0
I wonder if Microsoft changed the behaviour since early this year? I've seen mailing list posts stating that a simple ldapsearch with gssapi would succeed, even with the server enforcing rules on signing enabled, but still log the 2889 event. But I don't see that now.
This works and does not produce the 2889 event on the server:
$ ldapsearch -H ldap:// server1. ad1.example. com -Y GSSAPI -b '' -s base > /dev/null
SASL/GSSAPI authentication started
SASL username: <email address hidden>
SASL SSF: 56
SASL data security layer installed.
If I set maxssf to 0, then it fails and *does* produce the 2889 event on the server: server1. ad1.example. com -Y GSSAPI -b '' -s base > /dev/null interactive_ bind_s: Strong(er) authentication required (8)
$ ldapsearch -O maxssf=0 -H ldap://
SASL/GSSAPI authentication started
ldap_sasl_
additional info: 00002028: LdapErr: DSID-0C090266, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4563
Event: Kerberos/ NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/ TLS-encrypted) LDAP connection.
The following client performed a SASL (Negotiate/
Client IP address:
10.51.0.1:49036
Identity the client attempted to authenticate as:
AD1\john
Binding Type:
0