> Date: Fri, 25 Jan 2008 12:57:55 -0700 > From: Rich Megginson<rmeggins at redhat.com> > Listbox wrote: >> Hi folks, >> >> I have sasl-gssapi installed. But to use any ldap clients like ldapsearch or >> ldapmodify, I must specify "-Y GSSAPI" , else I get a "no mechanism >> available" error. Is this an "Identity Mapping" problem, an ldap.conf >> problem, or is it "as designed"? >> > OpenLDAP ldapsearch, ldapmodify, etc. (/usr/bin/ldapsearch etc.) attempt > to use SASL by default. If you use the -x argument, it will use simple > userDN/password bind. It sounds like, since he went to the effort of installing sasl-gssapi, that he actually wants to use SASL Binds though. When no mechanism is specified, the client library tries to read the supportedSASLMechanisms attribute from the server's rootDSE. If the rootDSE is unreadable (due to ACLs most likely) then you'll get this type of failure. >> My ldap.conf man page says that "SASL_MECH" is a per-user setting in >> .ldaprc, so I worry that my services without a login will not use LDAP >> correctly. >> I read >> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Introduction_to_SASL-SA >> SL_Identity_Mapping.html >> and the next section on "Realms" but the docs don't say if one should >> actually put "cn=gssapi,cn=auth" into the SASL map. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
