"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> writes: > I'd like to use for ldap bind GSSAPI as the first sasl authentication > mechanism and digest-md5 as the second prefered method (e.g. if the > client does not support GSSAPI) > > I have configured slapd with /etc/sash/slapd.conf that has gssapi > before digest-md5 (I assume the order is important, is it?) . No, it is not important, as sasl selects the most appropriate mechanism. > mech_list: gssapi digest-md5 cram-md5 external > > But despite the above order I get gssapi as the last in the list of > supportedsaslmechanisms > > #ldapsearch -H ldap://192.168.1.27 -x -D "CN=Admin,DC=Suse,DC=home" -w > password -b "" -s base "supportedsaslmechanisms" > # extended LDIF > # > # LDAPv3 > # base <> with scope baseObject > # filter: (objectclass=*) > # requesting: supportedsaslmechanisms > # > > # > dn: > supportedSASLMechanisms: DIGEST-MD5 > supportedSASLMechanisms: CRAM-MD5 > supportedSASLMechanisms: GSSAPI The ldap protocol is a message based protocol and there are no ordering rules defined to present results. Ordering of search results is left to the clients. > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > and a query will force digest-md5 authentication (despite the GSSAPI > capability of the client). > > #ldapsearch -H ldap://192.168.1.27 -s base -b "" "supportedsaslmechanisms" > SASL/DIGEST-MD5 authentication started > Please enter your password: > > If I change /etc/sasl2/slapd.conf to > > mech_list: gssapi > > I get gssapi to work > > #ldapsearch -H ldap://192.168.1.27 -b "" -s base "supportedsaslmechanisms" > SASL/GSSAPI authentication started > SASL username: markus@xxxxxxxxx > SASL SSF: 56 > SASL installing layers > # extended LDIF > # > # LDAPv3 > # base <> with scope baseObject > # filter: (objectclass=*) > # requesting: supportedsaslmechanisms > # > > # > dn: > supportedSASLMechanisms: GSSAPI > > # search result > search: 5 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > What do I need to do to force the order on the server ? This is not necessary, The strong bind authentication is not done by slapd but passed to the sasl framework, sasl selects the most secure mechanism available, that is in your case GSSAPI. Just test it by calling ldapsearch without any bind options, something like: ldapsearch -h localhost -b "" -s base + -Dieter -- Dieter Klünter | Systemberatung http://www.dpunkt.de/buecher/2104.html sip: +49.180.1555.7770535 GPG Key ID:8EF7B6C6 53°08'09,95"N 10°08'02,42"E
