[Date Prev][Date Next] [Chronological] [Thread] [Top]

require authc and SASL GSSAPI

To: openldap-technical@openldap.org
Subject: require authc and SASL GSSAPI
From: Christian <chanlists@googlemail.com>
Date: Mon, 9 May 2016 09:29:49 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=sYFChbNzthfTTbzPoCgKLeZq/H9wTKaOSiNp3+yMyfU=; b=LtBoWQPXErgUkcuLJYxjkasbuJilgiKx4kNGM7NRbNAA40OBgAfKR2fPslnurf1A+3 AluDvR8fEG5V+/eBYDNOuG7+TFD1fOJyVOrfINgFr83mpwTkrObjJVauiJDHnP8C00KO R959nB6HwWvO/F2LfIy6Ogka99qucDHlijpn2X4B5meMQIzmAHRu/oam7JI7OtobXswU lQHB7RfjaomLDpU7UlZvwuWxLaR2fgTChIRFJAXdE7/OTHxIAx51EeA9AwgsVG1hl9Bw Qlw1qD+i+RUN7jTnWptJ+DPezlO7d0E/sEV5fxZcgxdKiD5RRSAP7nwVeehFr/6DuPTO y2yQ==
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.0

Dear list,

I use Kerberos/GSSAPI for authentication, and I recently locked down my
ldap servers with "require authc". With Kerberos tickets, I used to be
able to just enter

ldapsearch

on the command line. Now I have to do

ldapsearch -Y GSSAPI

I assume this is because ldapsearch has to do a nonauthenticated bind to
find out about the SASL auth mechanisms (by looking for
supportedSASLMechanisms), and that fails now. So it would be great if I
had a way of setting the default SASL auth mechanism on a machine for
all users. However,

man ldap.conf

tells me that the setting for SASL_MECH is a per user setting only. Is
there any other way to achieve this, or am I doing the wrong thing by
requiring authc? Thanks,

Christian

Follow-Ups:
- Re: require authc and SASL GSSAPI
  - From: Dan White <dwhite@cafedemocracy.org>
- Re: require authc and SASL GSSAPI
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Access auth granularity?
Next by Date: Re: Access auth granularity?
Index(es):
- Chronological
- Thread