[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: I don't want to use GSSAPI !?



Thanks Dan,

2015-10-22 20:54 GMT+02:00 Dan White <dwhite@cafedemocracy.org>:
On 10/22/15 17:59 +0200, Olivier wrote:
Hello everyone,

authentication over ldap doesn't work on one of my linux box. Trying to
query the ldap server from this machine with ldapsearch, I get this :

$ ldapsearch -ZZZ -h ldap1.example:389  -D uid=olivier,dc=example,dc=fr -b
dc=example,dc=fr -W
Enter LDAP Password:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
   additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure.  Minor code may provide more information (No credentials cache
found)
Without including a '-x' option on the command line, you are directing
ldapsearch to perform a SASL authenticated bind. See the ldapsearch
manpage.

I use SASL in certain circumstances (aka: EXTERNAL), but not GSSAPI and find strange that this particular machine (I mean the client) even tries it.

Do you know why ldapsearch tries to authenticate using GSSAPI ?

In this case, ldapsearch deferred the underlying authentication exchange
to libsasl2, which has determined that GSSAPI is the most appropriate SASL
mechanism to use, likely because the ldap server is offering it. You can
use '-Y' to specify a preferred sasl mechanism, if that is your intention.

Is there any way to configure the server not to serve GSSAPI mechanism ? I have not fount any parameter that could deal with that on the server side.


I don'use such a mechanism (nor kerberos) and I don't remember that I
configured any such a thing.

Any idea to desactivate the attempt to use GSSAPI to authenticate ?

You can remove the GSSAPI libsasl2 shared library from your system, but
that would simply mask the problem.

Mmm... Thanks for this idea, but again, this is GSSAPI that I don't want to use, not SASL.

Is there any documentation that describes the dialog between the client and the server before they agree an a particular mechanism ?


--
Olivier





 

--
Dan White