[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: I don't want to use GSSAPI !?



On 10/22/15 17:59 +0200, Olivier wrote:
Hello everyone,

authentication over ldap doesn't work on one of my linux box. Trying to
query the ldap server from this machine with ldapsearch, I get this :

$ ldapsearch -ZZZ -h ldap1.example:389  -D uid=olivier,dc=example,dc=fr -b
dc=example,dc=fr -W
Enter LDAP Password:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
   additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure.  Minor code may provide more information (No credentials cache
found)

Without including a '-x' option on the command line, you are directing
ldapsearch to perform a SASL authenticated bind. See the ldapsearch
manpage.

Do you know why ldapsearch tries to authenticate using GSSAPI ?

In this case, ldapsearch deferred the underlying authentication exchange
to libsasl2, which has determined that GSSAPI is the most appropriate SASL
mechanism to use, likely because the ldap server is offering it. You can
use '-Y' to specify a preferred sasl mechanism, if that is your intention.

I don'use such a mechanism (nor kerberos) and I don't remember that I
configured any such a thing.

Any idea to desactivate the attempt to use GSSAPI to authenticate ?

You can remove the GSSAPI libsasl2 shared library from your system, but
that would simply mask the problem.

--
Dan White