Re: Enable SASL and GSSAPI authentication

[Dan White <dwhite@olp.net>]

On 22/12/10 15:43 +0100, Jörg Herzinger wrote:
> Hi,
>
> Am 2010-12-22 13:04, schrieb Indexer:
> > To clarify this means SASL passthrough (aka userPassword: {SASL}user@realm ) and GSSAPI you want, correct?
>
> Yes, thanks, I figured it out. I did't get that using SASL means, 
> that all authentication is forwarded to SASL and thus you have to 
> configure it to use plain and gssapi auth. Before I used LDAP which 
> seemed to be using the gss libraries directely and I didn't have to 
> use saslauthd at all.
> And to document it, my /usr/lib/sasl2/slapd.conf now looks like this:
>
> mech_list: plain gssapi
> pwcheck_method: saslauthd
> saslauthd_path: /var/run/saslauthd/mux

In the absence of this file, libsasl will offer all mechanisms that it can
find and initialize, and that match your 'sasl-secprops
noanonymous,noplain,noactive' configuration in /etc/ldap/slapd.conf.
saslauthd is not necessary for direct GSSAPI authentication, which is why
you didn't need this file in that case.

In fact, 'plain' is probably not necessary, and this config for
/usr/lib/sasl2/slapd.conf should suffice:

pwcheck_method: saslauthd

--
Dan White