[opensuse] Openldap sasl mechanism order problem on OpenSuSE 11
I'd like to use GSSAPI as the first sasl authentication mechanism and digest-md5 as the second method. Although /etc/sash/slapd.conf has gssapi before digest-md5. mech_list: gssapi digest-md5 cram-md5 external I get gssapi as the last in the list of supportedsaslmechanisms #ldapsearch -H ldap://192.168.1.27 -x -D "CN=Admin,DC=Suse,DC=home" -w password -b "" -s base "supportedsaslmechanisms" # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: supportedsaslmechanisms # # dn: supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: GSSAPI # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 and a query will force digest-md5 authentication. #ldapsearch -H ldap://192.168.1.27 -D "CN=Manager,DC=Suse,DC=home" -w Manager00$ -b "" -s base "supportedsaslmechanisms" SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database If I change /etc/sasl2/slapd.conf to mech_list: gssapi I get gssapi to work #ldapsearch -H ldap://192.168.1.27 -b "" -s base "supportedsaslmechanisms" SASL/GSSAPI authentication started SASL username: markus@SUSE.HOME SASL SSF: 56 SASL installing layers # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: supportedsaslmechanisms # # dn: supportedSASLMechanisms: GSSAPI # search result search: 5 result: 0 Success # numResponses: 2 # numEntries: 1 Why is slapd not using the right order ? I use OpenSuse 11.0 with latest patches. Markus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Am Dienstag 02 Dezember 2008 00:29:44 schrieb Markus Moeller:
I'd like to use GSSAPI as the first sasl authentication mechanism and digest-md5 as the second method.
Although /etc/sash/slapd.conf has gssapi before digest-md5.
mech_list: gssapi digest-md5 cram-md5 external
I get gssapi as the last in the list of supportedsaslmechanisms The order in which the SASL mechanism are defined in the config file is not related to the order in which those mechanism are returned by the applications using the SASL libraries. The "mech_list" option is just used to restrict what mechanims should be offered by an application, not in which order.
AFAIK there is no way to specify a desired order, through a configuration file currently. If a client wants to use a specific SASL mechanism it should tell the server to use that mechanism. For the ldapsearch command you could e.g. use the "-Y GSSAPI" option on the commandline.
#ldapsearch -H ldap://192.168.1.27 -x -D "CN=Admin,DC=Suse,DC=home" -w password -b "" -s base "supportedsaslmechanisms" # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: supportedsaslmechanisms #
# dn: supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: GSSAPI
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
and a query will force digest-md5 authentication.
#ldapsearch -H ldap://192.168.1.27 -D "CN=Manager,DC=Suse,DC=home" -w Manager00$ -b "" -s base "supportedsaslmechanisms" SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
If I change /etc/sasl2/slapd.conf to
mech_list: gssapi [..]
-- Ralf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
Markus Moeller
-
Ralf Haferkamp