[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Client & Server with Kerberos

Quanah Gibson-Mount wrote:
--On January 7, 2008 12:06:40 AM -0800 sanjay gupta <sanjay_cs1983@yahoo.com> wrote:
 ldapsearch with debugging enabled and see what it's doing :-

[root@localhost tools]# ./ldapsearch -Y GSSAPI  -d  1
ldap_sasl_interactive_bind_s: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_connect_to_host: TCP
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_int_sasl_open: host=localhost.localdomain
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
        additional info: SASL(-4): no mechanism available: No worthy
mechs found

It seems that LDAP server has not  GSSAPI available.

So how can we add GSSAPI support in LDAP server for making it work??

SASL mechanism support is determined by what mechanisms Cyrus-sasl has available to it. Install the appropriate SASL mechansisms package on your particular distribution, or if you are building it yourself, make sure you've built cyrus-sasl against a Kerberos implementation.


The cyrus sasl pluginviewer (called saslpluginviewer on my system) will list the installed plugins. You should see a client side plugin implementing the GSSAPI mechanism if you have sasl compiled for GSSAPI and installed correctly.

Also, however unlikely, you may have configured a sasl service file explicitly defining (restricting) which SASL mechanisms to use. On my system, that file is /usr/lib/sasl2/slapd.conf. You can specify the mechanisms to use using a statement like:


If not specified, I believe all server side mechanisms are offered by default.

- Dan White
BTC Broadband