Question regarding order of SASL authentication mechanisms

Markus Moeller huaraz at moeller.plus.com
Sat Dec 6 09:49:07 EST 2008


I'd like to use for ldap bind GSSAPI as the first sasl authentication 
mechanism and digest-md5 as the second prefered method (e.g. if the client 
does not support GSSAPI)

I have configured slapd with /etc/sash/slapd.conf that has gssapi before 
digest-md5 (I assume the order is important, is it?) .

mech_list: gssapi digest-md5 cram-md5 external

But despite the above order I get gssapi as the last in the list of 
supportedsaslmechanisms

#ldapsearch -H ldap://192.168.1.27 -x -D "CN=Admin,DC=Suse,DC=home" -w 
password -b "" -s base "supportedsaslmechanisms"
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedsaslmechanisms
#

#
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: GSSAPI

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

and a query will force digest-md5 authentication (despite the GSSAPI 
capability of the client).

#ldapsearch -H ldap://192.168.1.27 -s base -b "" "supportedsaslmechanisms"
SASL/DIGEST-MD5 authentication started
Please enter your password:

If I change /etc/sasl2/slapd.conf to

mech_list: gssapi

I get gssapi to work

#ldapsearch -H ldap://192.168.1.27 -b "" -s base "supportedsaslmechanisms"
SASL/GSSAPI authentication started
SASL username: markus at SUSE.HOME
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedsaslmechanisms
#

#
dn:
supportedSASLMechanisms: GSSAPI

# search result
search: 5
result: 0 Success

# numResponses: 2
# numEntries: 1


What do I need to do to force the order on the server ?

Thank you
Markus






More information about the Cyrus-sasl mailing list