[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: require authc and SASL GSSAPI
- To: Dan White <dwhite@cafedemocracy.org>
- Subject: Re: require authc and SASL GSSAPI
- From: Christian <chanlists@googlemail.com>
- Date: Mon, 9 May 2016 23:41:47 +0200
- Cc: openldap-technical@openldap.org
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=nDCBwRjJqDkewpf1GirEBB5pEZ4WXpj91JXnf8yGxA8=; b=hCSPZaBeY7QPptl7aPVJpzkSHEu2aUowWKt8nJgv1lNFWKdu9TEV4/PyKzIsu5p5a/ QXtBJbyC8s1hsvjEwaXYWGFoMKKIzgHw5u1HEo+bzFbT8F1aMZy5e9qYYkm4VPxGfbqt YIwEodY1dPyvDAnfXe0RKu1HYe9IC7tLP5n5R394d1mGNQGEXHvGzXLRZIRdmADPc6EF lgRzL2V0F3WqmSbhnn1fBIp4KTzUoSn9/tNwGicH0DHEPQhzGkZfhnIdfK0jBdna9RLD IiE76Cy8EA9Ot4qaCYmlfBxB3e9FzeE+vXQZM/x2tP43Hib/M7zk3IpD3p9Pt102B8+Z gsiQ==
- In-reply-to: <20160509135458.GG4295@dan.olp.net>
- References: <40f54c5a-3101-9895-f7a0-29cca288becc@googlemail.com> <20160509135458.GG4295@dan.olp.net>
- User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.0
>> I use Kerberos/GSSAPI for authentication, and I recently locked
>> down my ldap servers with "require authc". With Kerberos tickets, I
>> used to be able to just enter
>>
>> ldapsearch
>
> What response do you get?
ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
additional info: authentication required
>> on the command line. Now I have to do
>>
>> ldapsearch -Y GSSAPI
>>
>> I assume this is because ldapsearch has to do a nonauthenticated
>> bind to find out about the SASL auth mechanisms (by looking for
>> supportedSASLMechanisms), and that fails now. So it would be great
>> if I
>
> You can verify with:
>
> ldapsearch -LLL -x -H ldap://ldap.example.org -s "base" -b ""
> supportedSASLMechanisms
with require authc:
afs2:~# ldapsearch -LLL -x -H ldap://<my_hostname> -s "base" -b ""
supportedSASLMechanisms
Server is unwilling to perform (53)
Additional information: authentication required
and, after removing require authc:
afs2:~# ldapsearch -LLL -x -H ldap://<my_hostname> -s "base" -b ""
supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI
> 1) Configure GSSAPI as the only available SASL mechanism, within your
> sasl slapd.conf, on the server.
Already done. That did not matter...
> 2) Remove all other sasl mechanisms/shared libraries on the client
> machine.
Hm. See also my separate response to Michael... Thanks,
Christian