Am 22.01.2011 17:04, schrieb Brian Candler: > On Fri, Jan 21, 2011 at 04:52:09PM +0100, Thomas Schweikle wrote: >> > I found the same (that DIGEST-MD5 was being preferred over GSSAPI). You can >> > fix it by disabling DIGEST-MD5. >> > >> > Under Ubuntu, I did this by >> > >> > # vi /etc/ldap/sasl2/slapd.conf >> > mech_list: gssapi external >> > >> > The location of this config file may differ under other distros. >> >> I do have the directory, but not the file ... do I have to create it >> myself or is it part of a package I did not install? > > You have to create it. OK. Created the file. It holds: mech_list: gssapi external keytab: /etc/ldap/krb5.ldap sasldb_path: /etc/ldap/sasl2/passwd.db Had a look at the rights for /etc/ldap/krb5.ldap: -rw------- 1 openldap openldap 278 2011-01-21 10:54 /etc/ldap/krb5.ldap slapd is running as: openldap 4744 0.0 0.9 115800 5008 ? Ssl 00:02 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// ldaps:/// -g openldap -u openldap Seems OK. Next I tried: $ ldapsearch -Y GSSAPI -LLL -H ldap://srv.example.com -s "base" -b "" supportedSASLMechanisms SASL/GSSAPI authentication started SASL username: tschweikle@XOMPU.DE SASL SSF: 56 SASL data security layer installed. dn: supportedSASLMechanisms: GSSAPI Works! Next try: $ldapsearch -Y GSSAPI -H ldap://srv.example.com -LLL -b "dc=example,dc=com" "(objectclass=*)" ... returns the whole database! Fine! Looks like I've solved the issues with your help! Thanks a lot! -- Thomas
Attachment:
signature.asc
Description: OpenPGP digital signature