[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: require authc and SASL GSSAPI

To: Michael Ströder <michael@stroeder.com>, openldap-technical@openldap.org
Subject: Re: require authc and SASL GSSAPI
From: Christian <chanlists@googlemail.com>
Date: Mon, 9 May 2016 23:38:40 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=0/vW8C9uAd0ZK7vGK666a8vqrSpeafUyKsmdeyp1QeY=; b=HKRBS5Qsa/C1XAXsuuj9LdOdlVymFkgRMdpBtsmdq5uUAcpcIsgRtOB7DJ57VpdbAk UdsLURnsBgAvr8Z/s+cX+jcPfKi2bFMdJ+ql+jQqBVyCJExin08JqDWNi8jGaWHZihJr XqfNWEPp+IalnKadtOxuGaSTnB87gXx2diM7FIlflWblWG/iYnTPl/7I0vx1+CuIeK6y RYYE/sBPgEKGXSbNnRHQGjmkJIOrG4nsSoXIHgNkpW3yphVdvFUOQff9cIRQ+PbsVxcv 3cW0L73Jg4ZEtIkhmvDVaMHakS0rkzbquOAymN4EWBIRs0N5wO5a5JiOGbPhtCBAkWaC iSoA==
In-reply-to: <5730F44B.6070902@stroeder.com>
References: <40f54c5a-3101-9895-f7a0-29cca288becc@googlemail.com> <5730F44B.6070902@stroeder.com>
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.0

On 09.05.2016 22:34, Michael Ströder wrote:
> Christian wrote:
>> I use Kerberos/GSSAPI for authentication, and I recently locked down my
>> ldap servers with "require authc". With Kerberos tickets, I used to be
>> able to just enter
>>
>> ldapsearch
>>
>> on the command line. Now I have to do
>>
>> ldapsearch -Y GSSAPI
> 
> Why don't you simply put this line in your ldap.conf?
> 
> SASL_MECH GSSAPI

Hm. Because the man page says

SASL_MECH <mechanism>
              Specifies the SASL mechanism to use.  This is a user-only
              option.

Nevertheless, it does seem to work without -Y GSSAPI if I change it in
the global (/etc/ldap/ldap.conf) file. So maybe the documentation is wrong?

>> I assume this is because ldapsearch has to do a nonauthenticated bind to
>> find out about the SASL auth mechanisms (by looking for
>> supportedSASLMechanisms),
> 
> Nope. The command-line tools do not behave like this.

Well. If I remove "require authc" from the server config, then it works
even without -Y GSSAPI and without the setting in the config file (see
above). So there must be something that gets blocked when I require
authc. In fact, with require authc:

afs2:~# ldapsearch -LLL -x -H ldap://<my_hostname> -s "base" -b ""
supportedSASLMechanisms
Server is unwilling to perform (53)
Additional information: authentication required

and, after removing require authc:

afs2:~# ldapsearch -LLL -x -H ldap://<my_hostname> -s "base" -b ""
supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI

>> man ldap.conf
>>
>> tells me that the setting for SASL_MECH is a per user setting only. Is
>> there any other way to achieve this, or am I doing the wrong thing by
>> requiring authc?
> 
> I'm pretty sure there's a system-wide ldap.conf file installed on your system.

Of course. But the man page seems to be incorrect about SASL_MECH being
a per-user setting... Or maybe I am not understanding what a per user
setting is...

Thanks for looking into this,

Christian

Follow-Ups:
- Re: require authc and SASL GSSAPI
  - From: Michael Ströder <michael@stroeder.com>

References:
- require authc and SASL GSSAPI
  - From: Christian <chanlists@googlemail.com>
- Re: require authc and SASL GSSAPI
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: require authc and SASL GSSAPI
Next by Date: Re: require authc and SASL GSSAPI
Index(es):
- Chronological
- Thread