[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: require authc and SASL GSSAPI



>> I use Kerberos/GSSAPI for authentication, and I recently locked
>> down my ldap servers with "require authc". With Kerberos tickets, I
>> used to be able to just enter
>> 
>> ldapsearch
> 
> What response do you get?

ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
        additional info: authentication required

>> on the command line. Now I have to do
>> 
>> ldapsearch -Y GSSAPI
>> 
>> I assume this is because ldapsearch has to do a nonauthenticated
>> bind to find out about the SASL auth mechanisms (by looking for 
>> supportedSASLMechanisms), and that fails now. So it would be great
>> if I
> 
> You can verify with:
> 
> ldapsearch -LLL -x -H ldap://ldap.example.org -s "base" -b "" 
> supportedSASLMechanisms

with require authc:

afs2:~# ldapsearch -LLL -x -H ldap://<my_hostname> -s "base" -b ""
supportedSASLMechanisms
Server is unwilling to perform (53)
Additional information: authentication required

and, after removing require authc:

afs2:~# ldapsearch -LLL -x -H ldap://<my_hostname> -s "base" -b ""
supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI

> 1) Configure GSSAPI as the only available SASL mechanism, within your
> sasl slapd.conf, on the server.

Already done. That did not matter...

> 2) Remove all other sasl mechanisms/shared libraries on the client
> machine.

Hm. See also my separate response to Michael... Thanks,

Christian