Christian wrote: > On 09.05.2016 22:34, Michael Ströder wrote: >> Christian wrote: >>> I use Kerberos/GSSAPI for authentication, and I recently locked down my >>> ldap servers with "require authc". With Kerberos tickets, I used to be >>> able to just enter >>> >>> ldapsearch >>> >>> on the command line. Now I have to do >>> >>> ldapsearch -Y GSSAPI >> >> Why don't you simply put this line in your ldap.conf? >> >> SASL_MECH GSSAPI > > Hm. Because the man page says > > SASL_MECH <mechanism> > Specifies the SASL mechanism to use. This is a user-only > option. > > Nevertheless, it does seem to work without -Y GSSAPI if I change it in > the global (/etc/ldap/ldap.conf) file. So maybe the documentation is wrong? I don't know what the author meant by "user-only". One could interpret "user" in a broader sense here. Read the man-page where client configuration files are searched. It ends at the system-wide ldap.conf. So if the majority of users would have to use -Y GSSAPI it does make sense to add that line. >>> I assume this is because ldapsearch has to do a nonauthenticated bind to >>> find out about the SASL auth mechanisms (by looking for >>> supportedSASLMechanisms), >> >> Nope. The command-line tools do not behave like this. > > Well. If I remove "require authc" from the server config, then it works > even without -Y GSSAPI and without the setting in the config file (see > above). So there must be something that gets blocked when I require > authc. In fact, with require authc: > > afs2:~# ldapsearch -LLL -x -H ldap://<my_hostname> -s "base" -b "" > supportedSASLMechanisms > Server is unwilling to perform (53) > Additional information: authentication required > > and, after removing require authc: > > afs2:~# ldapsearch -LLL -x -H ldap://<my_hostname> -s "base" -b "" > supportedSASLMechanisms > dn: > supportedSASLMechanisms: GSSAPI Re-read the man page about the "require" directive. slapd does exactly what you told it with "require authc". Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature