[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: security ssf and gssapi auto selection

At 04:06 AM 3/8/2006, Mivz wrote:
>I have configured my ldap server to use GSSAPI.
>If I do not use the security ssf statement in my slapd.conf, it auto selects GSSAPI authentication:
>SASL/GSSAPI authentication started
>SASL username: me@FQDN
>SASL installing layers
># extended LDIF
># LDAPv3
># base <> with scope sub
># filter: (objectclass=*)
># requesting: gssapi
>But when I enable the security ssf statement:
>security ssf=56 update_ssf=112 simple_bind=56
>It reply's:
>ldap_sasl_interactive_bind_s: Confidentiality required (13)
>       additional info: confidentiality required
>And I have to specify -Y gssapi whit my ldapsearch and then it works as before.
>The exual result is the same.
>Wy is it that it won't auto select GSSAPI when confidentiality is required? It does not even try.
>And, of course, how can this be solved?

ssf=56 disallows the unprotected search used in auto selection
of the SASL mechanism.  You might look at replacing ssf=56
with ACLs that restrict unprotected search to just the
attributes of the root DSE required for auto-selection
or just not relying on auto-selection.  There are various
other restrictions you might experiment with, in particular
those of the 'require' slapd.conf(5) directive.