[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: require authc and SASL GSSAPI

To: Dan White <dwhite@cafedemocracy.org>
Subject: Re: require authc and SASL GSSAPI
From: Christian <chanlists@googlemail.com>
Date: Mon, 9 May 2016 23:41:47 +0200
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=nDCBwRjJqDkewpf1GirEBB5pEZ4WXpj91JXnf8yGxA8=; b=hCSPZaBeY7QPptl7aPVJpzkSHEu2aUowWKt8nJgv1lNFWKdu9TEV4/PyKzIsu5p5a/ QXtBJbyC8s1hsvjEwaXYWGFoMKKIzgHw5u1HEo+bzFbT8F1aMZy5e9qYYkm4VPxGfbqt YIwEodY1dPyvDAnfXe0RKu1HYe9IC7tLP5n5R394d1mGNQGEXHvGzXLRZIRdmADPc6EF lgRzL2V0F3WqmSbhnn1fBIp4KTzUoSn9/tNwGicH0DHEPQhzGkZfhnIdfK0jBdna9RLD IiE76Cy8EA9Ot4qaCYmlfBxB3e9FzeE+vXQZM/x2tP43Hib/M7zk3IpD3p9Pt102B8+Z gsiQ==
In-reply-to: <20160509135458.GG4295@dan.olp.net>
References: <40f54c5a-3101-9895-f7a0-29cca288becc@googlemail.com> <20160509135458.GG4295@dan.olp.net>
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.0

>> I use Kerberos/GSSAPI for authentication, and I recently locked
>> down my ldap servers with "require authc". With Kerberos tickets, I
>> used to be able to just enter
>> 
>> ldapsearch
> 
> What response do you get?

ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
        additional info: authentication required

>> on the command line. Now I have to do
>> 
>> ldapsearch -Y GSSAPI
>> 
>> I assume this is because ldapsearch has to do a nonauthenticated
>> bind to find out about the SASL auth mechanisms (by looking for 
>> supportedSASLMechanisms), and that fails now. So it would be great
>> if I
> 
> You can verify with:
> 
> ldapsearch -LLL -x -H ldap://ldap.example.org -s "base" -b "" 
> supportedSASLMechanisms

with require authc:

afs2:~# ldapsearch -LLL -x -H ldap://<my_hostname> -s "base" -b ""
supportedSASLMechanisms
Server is unwilling to perform (53)
Additional information: authentication required

and, after removing require authc:

afs2:~# ldapsearch -LLL -x -H ldap://<my_hostname> -s "base" -b ""
supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI

> 1) Configure GSSAPI as the only available SASL mechanism, within your
> sasl slapd.conf, on the server.

Already done. That did not matter...

> 2) Remove all other sasl mechanisms/shared libraries on the client
> machine.

Hm. See also my separate response to Michael... Thanks,

Christian

References:
- require authc and SASL GSSAPI
  - From: Christian <chanlists@googlemail.com>
- Re: require authc and SASL GSSAPI
  - From: Dan White <dwhite@cafedemocracy.org>

Prev by Date: Re: require authc and SASL GSSAPI
Next by Date: Re: require authc and SASL GSSAPI
Index(es):
- Chronological
- Thread