[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: require authc and SASL GSSAPI

To: Christian <chanlists@googlemail.com>
Subject: Re: require authc and SASL GSSAPI
From: Dan White <dwhite@cafedemocracy.org>
Date: Mon, 9 May 2016 08:54:59 -0500
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <40f54c5a-3101-9895-f7a0-29cca288becc@googlemail.com>
References: <40f54c5a-3101-9895-f7a0-29cca288becc@googlemail.com>
User-agent: Mutt/1.5.24 (2015-08-30)

On 05/09/16 09:29 +0200, Christian wrote:

Dear list,

I use Kerberos/GSSAPI for authentication, and I recently locked down my
ldap servers with "require authc". With Kerberos tickets, I used to be
able to just enter

ldapsearch


What response do you get?

on the command line. Now I have to do

ldapsearch -Y GSSAPI

I assume this is because ldapsearch has to do a nonauthenticated bind to
find out about the SASL auth mechanisms (by looking for
supportedSASLMechanisms), and that fails now. So it would be great if I


You can verify with:

ldapsearch -LLL -x -H ldap://ldap.example.org -s "base" -b "" supportedSASLMechanisms

had a way of setting the default SASL auth mechanism on a machine for
all users. However,

man ldap.conf

tells me that the setting for SASL_MECH is a per user setting only. Is
there any other way to achieve this, or am I doing the wrong thing by
requiring authc? Thanks,


Two options come to mind:

1) Configure GSSAPI as the only available SASL mechanism, within your sasl
slapd.conf, on the server.

2) Remove all other sasl mechanisms/shared libraries on the client machine.

--
Dan White

Follow-Ups:
- Re: require authc and SASL GSSAPI
  - From: Christian <chanlists@googlemail.com>

References:
- require authc and SASL GSSAPI
  - From: Christian <chanlists@googlemail.com>

Prev by Date: Re: Access auth granularity?
Next by Date: Re: require authc and SASL GSSAPI
Index(es):
- Chronological
- Thread