Am Montag 07 September 2009 13:33:30 schrieb Linda Walsh:
Ralf Haferkamp wrote:
You (your client, whatever tool you used) tried to authenticate using the SASL/GSSAPI mechanism, but you server is not configured to use that mechanism. What tool were you using to access the LDAP server? If you were using the ldapsearch tool try adding the "-x" commandline switch to use simple authentication and see if that works. For details have a look in the ldapsearch man-page.
---- I was using the command listed below -- that YAST told me to use: ldapsearch -Y external -H ldapi:/// -b That command whould never ever give you the error message you pasted in your first mail ("SASL [conn=1] Failure: GSSAPI Error: ...."). As the above command explicitly requests ldapsearch to suse the SASL mechnsim: "external", which is not related in any way to GSSAPI.
It doesn't say anything about an -x switch or a need to configure SASL/GSSAPI to make it work properly. That completly depends on which authentication mechanism you want to use. If you want to you simple authentication you need to have the "-x" switch, otherwise ldapsearch (and other commandline tools) default to SASL authentication (the used SASL mechanism is negoiated base on what client and server support, unless you specify "-y <mechanism>".
When YaST is used to setup OpenLDAP it sets up the configuration database (the database with the base dn: "cn=config") in a way that only access via ldapi:/// and the sasl mechanism "external" is allowed. The "normal" databases (i.e. the one you configured in the yast module) are accessible via simple authentication by default, and that's where you need the "-x" switch.
Hasn't GSSAPI been deprecated non-fixable security flaws? No.
I seem to remember it being a requirement a few years back, then heard it was dropped when some serious problems were found. But most of the vendors still seem to offer and use it...so I'm a little bit confused...? GSSAPI has not been deprecated. You must confuse something here.
[..]
So...how come my backend isn't working and why do I feel rather silly asking why it isn't working on a suse list?
What does this command give you:
ldapsearch -x -H ldap://
-b "" -s base + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Unfortunately you didn't answer this question.
-- Ralf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org