Question regarding order of SASL authentication mechanisms
Dan White
dwhite at olp.net
Sat Dec 6 17:44:49 EST 2008
Markus Moeller wrote:
> Dieter,
>
> It doesn't work as you described or GSSAPI is weaker than DIGEST-MD5
>
> With /etc/sasl2/slapd.conf
> mech_list: gssapi digest-md5 external
>
> I get:
>
> # ldapsearch -h localhost -b "" -s base +
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
Markus,
SASL is a server-offers - client-chooses specification. DIGEST-MD5 is a
256 bit mechanism and GSSAPI is a 56 bit mechanism, so DIGEST-MD5 may be
preferred if no mechanism, or security properties, are specified.
See the manpage for ldap.conf to force a default SASL mechanism for the
OpenLDAP client utilities.
You can put 'SASL_MECH GSSAPI' within ~/.ldaprc.
- Dan
More information about the Cyrus-sasl
mailing list