Re: GSSAPI vs GSS-SPNEGO

[Dan White <dwhite@cafedemocracy.org>]

On 12/26/14 12:10 -0500, Brendan Kearney wrote:
> i am in the process of updating all of my systems to fedora 20 from
> fedora 16, and am using all the latest available builds for openldap,
> cyrus-sasl and mit kerberos.  i have put everything together as i had on
> fedora 16, and i am finding that the sasl instance is using
> sasl/gss-spnego, and not sasl/gssapi like it did on the older version.
>
> i am not sure if i should be concerned about this, but it feels like i
> should be.  i am not able to find anything that allow me to configure
> things one way or another, so i can force the use of gssapi from
> configs, it seems.
>
> can anyone point me in a direction about this, tell me if i should be
> concerned, or if you might have come across this before what i should be
> doing that i am not?

To limit the use of specific sasl mechanisms, configure a libsasl
slapd.conf file which contains a 'mech_list' option explicitly listing the
mechanisms (space separated) you wish to offer.

Consult the fedora documentation for both slapd and libsasl2 for the
location to place the slapd.conf file in.

To obtain a list of advertised mechanisms, do:

ldapsearch -LLL -x -H ldap://ldap.example.org -s "base" -b "" supportedSASLMechanisms

You should also force your clients to use gssapi explicitly if that's your
preferred mechanism. The OpenLDAP client utilities offer a '-Y' option for
to do that.

--
Dan White