[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: require authc and SASL GSSAPI



On 09.05.2016 22:34, Michael Ströder wrote:
> Christian wrote:
>> I use Kerberos/GSSAPI for authentication, and I recently locked down my
>> ldap servers with "require authc". With Kerberos tickets, I used to be
>> able to just enter
>>
>> ldapsearch
>>
>> on the command line. Now I have to do
>>
>> ldapsearch -Y GSSAPI
> 
> Why don't you simply put this line in your ldap.conf?
> 
> SASL_MECH GSSAPI

Hm. Because the man page says

SASL_MECH <mechanism>
              Specifies the SASL mechanism to use.  This is a user-only
              option.

Nevertheless, it does seem to work without -Y GSSAPI if I change it in
the global (/etc/ldap/ldap.conf) file. So maybe the documentation is wrong?

>> I assume this is because ldapsearch has to do a nonauthenticated bind to
>> find out about the SASL auth mechanisms (by looking for
>> supportedSASLMechanisms),
> 
> Nope. The command-line tools do not behave like this.

Well. If I remove "require authc" from the server config, then it works
even without -Y GSSAPI and without the setting in the config file (see
above). So there must be something that gets blocked when I require
authc. In fact, with require authc:

afs2:~# ldapsearch -LLL -x -H ldap://<my_hostname> -s "base" -b ""
supportedSASLMechanisms
Server is unwilling to perform (53)
Additional information: authentication required

and, after removing require authc:

afs2:~# ldapsearch -LLL -x -H ldap://<my_hostname> -s "base" -b ""
supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI

>> man ldap.conf
>>
>> tells me that the setting for SASL_MECH is a per user setting only. Is
>> there any other way to achieve this, or am I doing the wrong thing by
>> requiring authc?
> 
> I'm pretty sure there's a system-wide ldap.conf file installed on your system.

Of course. But the man page seems to be incorrect about SASL_MECH being
a per-user setting... Or maybe I am not understanding what a per user
setting is...

Thanks for looking into this,

Christian