[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: I don't want to use GSSAPI !?

To: Olivier <ldap@guillard.nom.fr>
Subject: Re: I don't want to use GSSAPI !?
From: Dan White <dwhite@cafedemocracy.org>
Date: Fri, 23 Oct 2015 16:45:27 -0500
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Content-disposition: inline
In-reply-to: <CACgJ1oyX1Wacnqu-vBJ=pkRRWQR1hdLxQs_QQ3gTGu_aNK21Gg@mail.gmail.com>
References: <CACgJ1ozC3ezurwJBaXVeB63yndP=RORL93TwY4+qPjh-UmLxRQ@mail.gmail.com> <20151022185458.GD3546@dan.olp.net> <CACgJ1oyX1Wacnqu-vBJ=pkRRWQR1hdLxQs_QQ3gTGu_aNK21Gg@mail.gmail.com>
User-agent: Mutt/1.5.23 (2014-03-12)

On 10/23/15 23:31 +0200, Olivier wrote:

2015-10-22 20:54 GMT+02:00 Dan White <dwhite@cafedemocracy.org>:

Without including a '-x' option on the command line, you are directing
ldapsearch to perform a SASL authenticated bind. See the ldapsearch
manpage.


I use SASL in certain circumstances (aka: EXTERNAL), but not GSSAPI and
find strange that this particular machine (I mean the client) even tries it.

Do you know why ldapsearch tries to authenticate using GSSAPI ?


Because your local cyrus sasl library determined it was the best option,
because it was not provided with a specific mechanism to use (-Y).

In this case, ldapsearch deferred the underlying authentication exchange
to libsasl2, which has determined that GSSAPI is the most appropriate SASL
mechanism to use, likely because the ldap server is offering it. You can
use '-Y' to specify a preferred sasl mechanism, if that is your intention.


Is there any way to configure the server not to serve GSSAPI mechanism ? I
have not fount any parameter that could deal with that on the server side.


Yes. Configure a sasl slapd.conf file, and specify an explicit 'mech_list'
which excludes GSSAPI. See:

http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/options.php

You can remove the GSSAPI libsasl2 shared library from your system, but
that would simply mask the problem.


Mmm... Thanks for this idea, but again, this is GSSAPI that I don't want to
use, not SASL.

Is there any documentation that describes the dialog between the client and
the server before they agree an a particular mechanism ?


SASL authentication is based on a server-offers - client-chooses model. The
server offers all available mechanisms to the client, which then chooses
the most appropriate mechanism to use based on which mechanisms it has
available. You can explicitly set the mechanism with the '-Y' option, or
via a SASL_MECH user-only option (see ldap.conf(5)).

See section 5.2 of RFC 4513 for further detail.

--
Dan White

Follow-Ups:
- Re: I don't want to use GSSAPI !?
  - From: Olivier <ldap@guillard.nom.fr>

References:
- I don't want to use GSSAPI !?
  - From: Olivier <ldap@guillard.nom.fr>
- Re: I don't want to use GSSAPI !?
  - From: Dan White <dwhite@cafedemocracy.org>
- Re: I don't want to use GSSAPI !?
  - From: Olivier <ldap@guillard.nom.fr>

Prev by Date: Re: I don't want to use GSSAPI !?
Next by Date: Re: multi-value attribute virtual view of single attribute
Index(es):
- Chronological
- Thread