Bad news for us, good news for security standards. So it seems that the OpenLDAP project is starting to work towards elimination of most simple bind functionality. There are a few posts here and there about it. As part of this, versions 2.1.23 and greater of OpenLDAP do not support the simple bind {KERBEROS} functionality that we are currently using. We are currently running version 2.1.21 in production.
Some options for working around this problem include:
- Switching to the simple bind {SASL} option which uses a ldap->saslauthd->kerberos or ldap->saslauthd->pam->kerberos method of credentials authentication. (Haven't been able to make this work right yet)
- Not upgrading OpenLDAP.. ever.
- Eliminating ldap simple binds in the environment.
- Moving authentication directly to Active Directory.
