[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Kerberos/GSSAPI issues
- To: Dieter Kluenter <dieter@dkluenter.de>
- Subject: Re: Kerberos/GSSAPI issues
- From: Brian Candler <B.Candler@pobox.com>
- Date: Wed, 29 Dec 2010 16:50:17 +0000
- Cc: openldap-technical@openldap.org
- Content-disposition: inline
- Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :cc:subject:message-id:references:mime-version:content-type :in-reply-to; s=sasl; bh=jCNxut97G4IvTwjiZFXqI1/yITQ=; b=BLWirVN 5Ps11a7n0dgpcRwMYZOthOK5pEg7hdq+zGcR85CZEr6iXkx5OB/7WLehNsiB6K4C I0kV8hUP55cIlYnznpoYtCL0bJk3m2jVbwH2pE10vyhtXtLghNe++enBUM2rcCXM PIHU9771pvCL5jI6mCuclX0cUMy+qdN3rVSM=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:from:to:cc :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=sasl; b=L7a/WNkD2QhfLGdV2o7GxpPc3/+ez25va k3AWiGm5hGUXsUEASVvISyGhFCFIvqQ5CVfqcY7Juuzwa7fV/ZvpokLGRfwiY5w9 NibS2Fze2AuRitezL4Pzl80EMRx4ovcln0rZ0jB9nwkh5KUTbLauSprr+7rsexXS Fp2sxcQpU8=
- In-reply-to: <20101229075743.27f0d55a@rubin.avci.de>
- References: <20101228092656.GA4437@talktalkplc.com> <20101228094133.GA6687@talktalkplc.com> <20101229075743.27f0d55a@rubin.avci.de>
- User-agent: Mutt/1.5.20 (2009-06-14)
On Wed, Dec 29, 2010 at 07:57:43AM +0100, Dieter Kluenter wrote:
> The default ssf of ldapi is 71, but you may change localSSF in
> slapd.conf(5).
> [...]
Thank you, that is very clear.
Having changed that, I can use EXTERNAL with minssf=112, but not GSSAPI. I
find that if I set minssf=56 it's fine, but at minssf=57 it isn't.
It looks like this is a fundamental limitation of the GSSAPI:
http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2006-September/000628.html
http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2006-September/000635.html
FYI, here's what I see with minssf=57 (the 'No such attribute' error is
somewhat confusing)
root@noc:~# ldapsearch
ldap_sasl_interactive_bind_s: No such attribute (16)
root@noc:~# ldapsearch -Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Inappropriate authentication (48)
additional info: SASL(-15): mechanism too weak for this user: mech GSSAPI is too weak
Regards,
Brian.