From: Dan White (no email)
Date: Sun May 02 2010 - 14:12:55 EDT
On 02/05/10 14:34 +0200, Michael Ströder wrote:
>Dan White wrote:
>> ldap_servers: ldap://192.168.2.1/
>> ldap_use_sasl: yes
>> ldap_mech: DIGEST-MD5
>> Assuming you can figure out how to do an LDAP sasl bind against Active
>> Directory, which I haven't been able to do with a non GSSAPI sasl mech.
>It's definitely possible to do LDAP SASL bind with DIGEST-MD5 with MS AD. But
>my own tests showed that for some reason you have to
>1. use the host name instead of an IP address and
>2. make sure that there are correct PTR RRs in DNS for your MS AD DC.
Yes, that works for me. If I use our internal DNS server, which resides on
the Active Directory host, then I can bind and authenticate.
Using either the hostname or the IP in the ldap_servers line works for me,
probably because we have both A and PTR records configured.
-- Dan White