[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: require authc and SASL GSSAPI
- To: Michael Ströder <michael@stroeder.com>, openldap-technical@openldap.org
- Subject: Re: require authc and SASL GSSAPI
- From: Christian <chanlists@googlemail.com>
- Date: Mon, 9 May 2016 23:38:40 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=0/vW8C9uAd0ZK7vGK666a8vqrSpeafUyKsmdeyp1QeY=; b=HKRBS5Qsa/C1XAXsuuj9LdOdlVymFkgRMdpBtsmdq5uUAcpcIsgRtOB7DJ57VpdbAk UdsLURnsBgAvr8Z/s+cX+jcPfKi2bFMdJ+ql+jQqBVyCJExin08JqDWNi8jGaWHZihJr XqfNWEPp+IalnKadtOxuGaSTnB87gXx2diM7FIlflWblWG/iYnTPl/7I0vx1+CuIeK6y RYYE/sBPgEKGXSbNnRHQGjmkJIOrG4nsSoXIHgNkpW3yphVdvFUOQff9cIRQ+PbsVxcv 3cW0L73Jg4ZEtIkhmvDVaMHakS0rkzbquOAymN4EWBIRs0N5wO5a5JiOGbPhtCBAkWaC iSoA==
- In-reply-to: <5730F44B.6070902@stroeder.com>
- References: <40f54c5a-3101-9895-f7a0-29cca288becc@googlemail.com> <5730F44B.6070902@stroeder.com>
- User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.0
On 09.05.2016 22:34, Michael Ströder wrote:
> Christian wrote:
>> I use Kerberos/GSSAPI for authentication, and I recently locked down my
>> ldap servers with "require authc". With Kerberos tickets, I used to be
>> able to just enter
>>
>> ldapsearch
>>
>> on the command line. Now I have to do
>>
>> ldapsearch -Y GSSAPI
>
> Why don't you simply put this line in your ldap.conf?
>
> SASL_MECH GSSAPI
Hm. Because the man page says
SASL_MECH <mechanism>
Specifies the SASL mechanism to use. This is a user-only
option.
Nevertheless, it does seem to work without -Y GSSAPI if I change it in
the global (/etc/ldap/ldap.conf) file. So maybe the documentation is wrong?
>> I assume this is because ldapsearch has to do a nonauthenticated bind to
>> find out about the SASL auth mechanisms (by looking for
>> supportedSASLMechanisms),
>
> Nope. The command-line tools do not behave like this.
Well. If I remove "require authc" from the server config, then it works
even without -Y GSSAPI and without the setting in the config file (see
above). So there must be something that gets blocked when I require
authc. In fact, with require authc:
afs2:~# ldapsearch -LLL -x -H ldap://<my_hostname> -s "base" -b ""
supportedSASLMechanisms
Server is unwilling to perform (53)
Additional information: authentication required
and, after removing require authc:
afs2:~# ldapsearch -LLL -x -H ldap://<my_hostname> -s "base" -b ""
supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI
>> man ldap.conf
>>
>> tells me that the setting for SASL_MECH is a per user setting only. Is
>> there any other way to achieve this, or am I doing the wrong thing by
>> requiring authc?
>
> I'm pretty sure there's a system-wide ldap.conf file installed on your system.
Of course. But the man page seems to be incorrect about SASL_MECH being
a per-user setting... Or maybe I am not understanding what a per user
setting is...
Thanks for looking into this,
Christian