Question regarding order of SASL authentication mechanisms

Dieter Kluenter dieter at dkluenter.de
Sat Dec 6 12:01:38 EST 2008


"Markus Moeller" <huaraz at moeller.plus.com> writes:

> I'd like to use for ldap bind GSSAPI as the first sasl authentication
> mechanism and digest-md5 as the second prefered method (e.g. if the
> client does not support GSSAPI)
>
> I have configured slapd with /etc/sash/slapd.conf that has gssapi
> before digest-md5 (I assume the order is important, is it?) .

No, it is not important, as sasl selects the most appropriate
mechanism.

> mech_list: gssapi digest-md5 cram-md5 external
>
> But despite the above order I get gssapi as the last in the list of
> supportedsaslmechanisms
>
> #ldapsearch -H ldap://192.168.1.27 -x -D "CN=Admin,DC=Suse,DC=home" -w
> password -b "" -s base "supportedsaslmechanisms"
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope baseObject
> # filter: (objectclass=*)
> # requesting: supportedsaslmechanisms
> #
>
> #
> dn:
> supportedSASLMechanisms: DIGEST-MD5
> supportedSASLMechanisms: CRAM-MD5
> supportedSASLMechanisms: GSSAPI

The ldap protocol is a message based protocol and there are no ordering
rules defined to present results. Ordering of search results is left
to the clients.

> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> and a query will force digest-md5 authentication (despite the GSSAPI
> capability of the client).
>
> #ldapsearch -H ldap://192.168.1.27 -s base -b "" "supportedsaslmechanisms"
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
>
> If I change /etc/sasl2/slapd.conf to
>
> mech_list: gssapi
>
> I get gssapi to work
>
> #ldapsearch -H ldap://192.168.1.27 -b "" -s base "supportedsaslmechanisms"
> SASL/GSSAPI authentication started
> SASL username: markus at SUSE.HOME
> SASL SSF: 56
> SASL installing layers
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope baseObject
> # filter: (objectclass=*)
> # requesting: supportedsaslmechanisms
> #
>
> #
> dn:
> supportedSASLMechanisms: GSSAPI
>
> # search result
> search: 5
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> What do I need to do to force the order on the server ?

This is not necessary, The strong bind authentication is not done by
slapd but passed to the sasl framework, sasl selects the most secure
mechanism available, that is in your case GSSAPI. Just test it by
calling ldapsearch without any bind options, something like:
ldapsearch -h localhost -b "" -s base +


-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
sip: +49.180.1555.7770535
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E


More information about the Cyrus-sasl mailing list