Mailinglist Archive: opensuse (1702 mails)

< Previous Next >
Re: [opensuse] Re: ldap slpd config
  • From: Ralf Haferkamp <rhafer@xxxxxxx>
  • Date: Mon, 7 Sep 2009 14:34:41 +0200
  • Message-id: <200909071434.41297.rhafer@xxxxxxx>
Am Montag 07 September 2009 13:33:30 schrieb Linda Walsh:
Ralf Haferkamp wrote:
You (your client, whatever tool you used) tried to authenticate using the
SASL/GSSAPI mechanism, but you server is not configured to use that
mechanism. What tool were you using to access the LDAP server?
If you were using the ldapsearch tool try adding the "-x" commandline
switch to use simple authentication and see if that works. For details
have a look in the ldapsearch man-page.

----
I was using the command listed below -- that YAST told me to use:
ldapsearch -Y external -H ldapi:/// -b
That command whould never ever give you the error message you pasted in your
first mail ("SASL [conn=1] Failure: GSSAPI Error: ...."). As the above
command explicitly requests ldapsearch to suse the SASL mechnsim: "external",
which is not related in any way to GSSAPI.

It doesn't say anything about an -x switch or a need to configure
SASL/GSSAPI to make it work properly.
That completly depends on which authentication mechanism you want to use. If
you want to you simple authentication you need to have the "-x" switch,
otherwise ldapsearch (and other commandline tools) default to SASL
authentication (the used SASL mechanism is negoiated base on what client and
server support, unless you specify "-y <mechanism>".

When YaST is used to setup OpenLDAP it sets up the configuration database (the
database with the base dn: "cn=config") in a way that only access via
ldapi:/// and the sasl mechanism "external" is allowed.
The "normal" databases (i.e. the one you configured in the yast module) are
accessible via simple authentication by default, and that's where you need the
"-x" switch.

Hasn't GSSAPI been deprecated non-fixable security flaws?
No.

I seem to remember it being a requirement a few years back, then heard
it was dropped when some serious problems were found. But most of the
vendors still seem to offer and use it...so I'm a little bit confused...?
GSSAPI has not been deprecated. You must confuse something here.

[..]
So...how come my backend isn't working and why do I feel rather silly
asking why it isn't working on a suse list?

What does this command give you:

ldapsearch -x -H ldap://<your.ldapserver.address> -b "" -s base +
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Unfortunately you didn't answer this question.

--
Ralf
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups