[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos/GSSAPI issues

To: Dieter Kluenter <dieter@dkluenter.de>
Subject: Re: Kerberos/GSSAPI issues
From: Brian Candler <B.Candler@pobox.com>
Date: Wed, 29 Dec 2010 16:50:17 +0000
Cc: openldap-technical@openldap.org
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :cc:subject:message-id:references:mime-version:content-type :in-reply-to; s=sasl; bh=jCNxut97G4IvTwjiZFXqI1/yITQ=; b=BLWirVN 5Ps11a7n0dgpcRwMYZOthOK5pEg7hdq+zGcR85CZEr6iXkx5OB/7WLehNsiB6K4C I0kV8hUP55cIlYnznpoYtCL0bJk3m2jVbwH2pE10vyhtXtLghNe++enBUM2rcCXM PIHU9771pvCL5jI6mCuclX0cUMy+qdN3rVSM=
Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:from:to:cc :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=sasl; b=L7a/WNkD2QhfLGdV2o7GxpPc3/+ez25va k3AWiGm5hGUXsUEASVvISyGhFCFIvqQ5CVfqcY7Juuzwa7fV/ZvpokLGRfwiY5w9 NibS2Fze2AuRitezL4Pzl80EMRx4ovcln0rZ0jB9nwkh5KUTbLauSprr+7rsexXS Fp2sxcQpU8=
In-reply-to: <20101229075743.27f0d55a@rubin.avci.de>
References: <20101228092656.GA4437@talktalkplc.com> <20101228094133.GA6687@talktalkplc.com> <20101229075743.27f0d55a@rubin.avci.de>
User-agent: Mutt/1.5.20 (2009-06-14)

On Wed, Dec 29, 2010 at 07:57:43AM +0100, Dieter Kluenter wrote:
> The default ssf of ldapi is 71, but you may change localSSF in
> slapd.conf(5).
> [...]

Thank you, that is very clear.

Having changed that, I can use EXTERNAL with minssf=112, but not GSSAPI.  I
find that if I set minssf=56 it's fine, but at minssf=57 it isn't.

It looks like this is a fundamental limitation of the GSSAPI:
http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2006-September/000628.html
http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2006-September/000635.html

FYI, here's what I see with minssf=57 (the 'No such attribute' error is
somewhat confusing)

root@noc:~# ldapsearch
ldap_sasl_interactive_bind_s: No such attribute (16)
root@noc:~# ldapsearch -Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Inappropriate authentication (48)
	additional info: SASL(-15): mechanism too weak for this user: mech GSSAPI is too weak

Regards,

Brian.

Follow-Ups:
- Re: Kerberos/GSSAPI issues
  - From: Dieter Kluenter <dieter@dkluenter.de>

References:
- Kerberos/GSSAPI issues
  - From: Brian Candler <B.Candler@pobox.com>
- Re: Kerberos/GSSAPI issues
  - From: Brian Candler <B.Candler@pobox.com>
- Re: Kerberos/GSSAPI issues
  - From: Dieter Kluenter <dieter@dkluenter.de>

Prev by Date: Re: invalid credentials (49) for normal user
Next by Date: Re: Kerberos/GSSAPI issues
Index(es):
- Chronological
- Thread