[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: require authc and SASL GSSAPI



Christian wrote:
> On 09.05.2016 22:34, Michael Ströder wrote:
>> Christian wrote:
>>> I use Kerberos/GSSAPI for authentication, and I recently locked down my
>>> ldap servers with "require authc". With Kerberos tickets, I used to be
>>> able to just enter
>>>
>>> ldapsearch
>>>
>>> on the command line. Now I have to do
>>>
>>> ldapsearch -Y GSSAPI
>>
>> Why don't you simply put this line in your ldap.conf?
>>
>> SASL_MECH GSSAPI
> 
> Hm. Because the man page says
> 
> SASL_MECH <mechanism>
>               Specifies the SASL mechanism to use.  This is a user-only
>               option.
> 
> Nevertheless, it does seem to work without -Y GSSAPI if I change it in
> the global (/etc/ldap/ldap.conf) file. So maybe the documentation is wrong?

I don't know what the author meant by "user-only".
One could interpret "user" in a broader sense here.

Read the man-page where client configuration files are searched. It ends at the
system-wide ldap.conf. So if the majority of users would have to use -Y GSSAPI
it does make sense to add that line.

>>> I assume this is because ldapsearch has to do a nonauthenticated bind to
>>> find out about the SASL auth mechanisms (by looking for
>>> supportedSASLMechanisms),
>>
>> Nope. The command-line tools do not behave like this.
> 
> Well. If I remove "require authc" from the server config, then it works
> even without -Y GSSAPI and without the setting in the config file (see
> above). So there must be something that gets blocked when I require
> authc. In fact, with require authc:
> 
> afs2:~# ldapsearch -LLL -x -H ldap://<my_hostname> -s "base" -b ""
> supportedSASLMechanisms
> Server is unwilling to perform (53)
> Additional information: authentication required
> 
> and, after removing require authc:
> 
> afs2:~# ldapsearch -LLL -x -H ldap://<my_hostname> -s "base" -b ""
> supportedSASLMechanisms
> dn:
> supportedSASLMechanisms: GSSAPI

Re-read the man page about the "require" directive. slapd does exactly what you
told it with "require authc".

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature