Question regarding order of SASL authentication mechanisms

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'd like to use for ldap bind GSSAPI as the first sasl authentication mechanism and digest-md5 as the second prefered method (e.g. if the client does not support GSSAPI)

I have configured slapd with /etc/sash/slapd.conf that has gssapi before digest-md5 (I assume the order is important, is it?) .

mech_list: gssapi digest-md5 cram-md5 external

But despite the above order I get gssapi as the last in the list of supportedsaslmechanisms

#ldapsearch -H ldap://192.168.1.27 -x -D "CN=Admin,DC=Suse,DC=home" -w password -b "" -s base "supportedsaslmechanisms"
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedsaslmechanisms
#

#
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: GSSAPI

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

and a query will force digest-md5 authentication (despite the GSSAPI capability of the client).

#ldapsearch -H ldap://192.168.1.27 -s base -b "" "supportedsaslmechanisms"
SASL/DIGEST-MD5 authentication started
Please enter your password:

If I change /etc/sasl2/slapd.conf to

mech_list: gssapi

I get gssapi to work

#ldapsearch -H ldap://192.168.1.27 -b "" -s base "supportedsaslmechanisms"
SASL/GSSAPI authentication started
SASL username: markus@xxxxxxxxx
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedsaslmechanisms
#

#
dn:
supportedSASLMechanisms: GSSAPI

# search result
search: 5
result: 0 Success

# numResponses: 2
# numEntries: 1


What do I need to do to force the order on the server ?

Thank you
Markus





[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux