Am Dienstag 02 Dezember 2008 00:29:44 schrieb Markus Moeller:
I'd like to use GSSAPI as the first sasl authentication mechanism and digest-md5 as the second method.
Although /etc/sash/slapd.conf has gssapi before digest-md5.
mech_list: gssapi digest-md5 cram-md5 external
I get gssapi as the last in the list of supportedsaslmechanisms The order in which the SASL mechanism are defined in the config file is not related to the order in which those mechanism are returned by the applications using the SASL libraries. The "mech_list" option is just used to restrict what mechanims should be offered by an application, not in which order.
AFAIK there is no way to specify a desired order, through a configuration file currently. If a client wants to use a specific SASL mechanism it should tell the server to use that mechanism. For the ldapsearch command you could e.g. use the "-Y GSSAPI" option on the commandline.
#ldapsearch -H ldap://192.168.1.27 -x -D "CN=Admin,DC=Suse,DC=home" -w password -b "" -s base "supportedsaslmechanisms" # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: supportedsaslmechanisms #
# dn: supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: GSSAPI
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
and a query will force digest-md5 authentication.
#ldapsearch -H ldap://192.168.1.27 -D "CN=Manager,DC=Suse,DC=home" -w Manager00$ -b "" -s base "supportedsaslmechanisms" SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
If I change /etc/sasl2/slapd.conf to
mech_list: gssapi [..]
-- Ralf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org