ldapsearch - Strong(er) authentication required - Transport encryption required

encryption connection active-directory authentication ldap
13,019

Are you sure TLS is even configured in your Active Directory deployment? It is not by default.

Anyhow using LDAPS (default port 636):

ldapsearch -H ldaps://10.128.1.254

Using LDAP and enforce StartTLS extended operation to succeed (default port 389):

ldapsearch -H ldap://10.128.1.254 -ZZ

Note that OpenLDAP's client utils perform strict TLS hostname check. Therefore the server certificate must contain the DNS name or IP address used with -H in the cert's subjectAltName or CN attribute.

If you want to use SASL with GSSAPI/Kerberos you have to obtain a Kerberos ticket-granting ticket before with kinit.

Share:
13,019

Related videos on Youtube

BrainStone
Author by

BrainStone

Updated on September 18, 2022

Comments

  • BrainStone
    BrainStone over 1 year

    I'm trying search my company's AD with ldapsearch. However I always get the error:

    ldap_bind: Strong(er) authentication required (8)
        additional info: BindSimple: Transport encryption required.

    I tried to use LDAPS in every combination possible, but I can't seem to be able to connect to the server in any other way than just LDAP on the default port.
    Weirdly enough I have no issues whatsoever using Active Directory Explorer.

    I was thinking that it could be that the firewall isn't configured correctly and blocking the LDAPS (636) Port, but that wouldn't explain Active Directory Explorer working...

    Also GitLab seems to be able to connect to it just fine too. Except that it won't authenticate. But that's what I'm trying to debug with ldapsearch too.

    That's the command I'm using:

    ldapsearch -D "cn=myuser,cn=Users,dc=company,dc=local" -w "<password>" \
    -p 389 -h 10.128.1.254 \
    -b "cn=Users,dc=company,dc=local"

    The server is correct, so is the bind_dn (according to Active Directory Explorer) and the corresponding password, I tried using upper an lowercase for the stuff like cn, I tried all possible configurations of using LDAPS (like -H ldaps://10.128.1.254, -H ldaps://10.128.1.254:389, -H ldaps://10.128.1.254:636) and the flag -x, so I'm really running out of ideas.

    If it's relevant, the AD server is the Active Directory Server on Synology/DSM, which is a linux SAMBA server under the hood.

    Any help is greatly apprechiated.

    UPDATE:

    Looks like adding -Y NTLM gets me further.

    Now I get:

    SASL/NTLM authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL:[NTLM]: NT_STATUS_OBJECT_NAME_NOT_FOUND

    which is weird, as I know the password is correct.

    UPDATE 2:

    Now using -Y GSSAPI creates this rather nothing saying error:

    SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0))

    UPDATE 3:

    The parameter -ZZ (-Z too) ends with this error:

    ldap_start_tls: Connect error (-11)
        additional info: The TLS connection was non-properly terminated.
  • BrainStone
    BrainStone over 5 years
    I’m certainly not using LDAPS. I’ve also tried it with the H parameter as you showed it in your second example. That leads me to the same error messages as before.
  • Michael Ströder
    Michael Ströder over 5 years
    You mentioned port 636 which is the default port for LDAPS. Anyhow, did you try to use StartTLS ext.op. instead like described in my 2nd example?
  • BrainStone
    BrainStone over 5 years
    My apologies. On mobile the last parameter was cut off. I will try that.
  • BrainStone
    BrainStone over 5 years
    Sorry for the late response. I was not at work and unable to test it. Adding the -ZZ parameter yields: The TLS connection was non-properly terminated.. I've added the full error as Edit 3 in the original post.
  • Michael Ströder
    Michael Ströder over 5 years
    I repeat the first sentence of my answer: Are you sure TLS is even configured in your Active Directory deployment? It is not by default.
  • BrainStone
    BrainStone over 5 years
    I honestly don't know. The interface on the Synology proivides exactly 0 configuration. And about just as much information.
  • Michael Ströder
    Michael Ströder over 5 years
    So I'd assume that using TLS is not supported because you would at least need a config option to add CA root certificate and TLS server certificate/key.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SVN + SASL + ActiveDirectory: How to
Java ldap authentication issue
How to direct Apache Basic authentication over SSL?
Can a single user have multiple credential sets using MS Active Directory
How to work around a "logon workstations" restriction to the Domain Controller stopping authentication via LDAP
Central Authentication For Windows, Linux, Network Devices
Disable LDAP authentication on Ubuntu
Authenticating Apache HTTPd against multiple LDAP servers with expired accounts
Active Directory authentication load balancing and failover
How can I set up Redmine => Active Directory authentication?