Question regarding order of SASL authentication mechanisms
Markus Moeller
huaraz at moeller.plus.com
Sat Dec 6 09:49:07 EST 2008
I'd like to use for ldap bind GSSAPI as the first sasl authentication
mechanism and digest-md5 as the second prefered method (e.g. if the client
does not support GSSAPI)
I have configured slapd with /etc/sash/slapd.conf that has gssapi before
digest-md5 (I assume the order is important, is it?) .
mech_list: gssapi digest-md5 cram-md5 external
But despite the above order I get gssapi as the last in the list of
supportedsaslmechanisms
#ldapsearch -H ldap://192.168.1.27 -x -D "CN=Admin,DC=Suse,DC=home" -w
password -b "" -s base "supportedsaslmechanisms"
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedsaslmechanisms
#
#
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: GSSAPI
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
and a query will force digest-md5 authentication (despite the GSSAPI
capability of the client).
#ldapsearch -H ldap://192.168.1.27 -s base -b "" "supportedsaslmechanisms"
SASL/DIGEST-MD5 authentication started
Please enter your password:
If I change /etc/sasl2/slapd.conf to
mech_list: gssapi
I get gssapi to work
#ldapsearch -H ldap://192.168.1.27 -b "" -s base "supportedsaslmechanisms"
SASL/GSSAPI authentication started
SASL username: markus at SUSE.HOME
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedsaslmechanisms
#
#
dn:
supportedSASLMechanisms: GSSAPI
# search result
search: 5
result: 0 Success
# numResponses: 2
# numEntries: 1
What do I need to do to force the order on the server ?
Thank you
Markus
More information about the Cyrus-sasl
mailing list