Dieter,
It doesn't work as you described or GSSAPI is weaker than DIGEST-MD5
With /etc/sasl2/slapd.conf
mech_list: gssapi digest-md5 external
I get:
# ldapsearch -h localhost -b "" -s base +
SASL/DIGEST-MD5 authentication started
Please enter your password:
with /etc/sasl2/sladp.conf
mech_list: gssapi external
I get:
ldapsearch -h localhost -b "" -s base +
SASL/GSSAPI authentication started
SASL username: markus@xxxxxxxxx
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: +
#
#
dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=suse,dc=home
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.1.8
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
supportedSASLMechanisms: GSSAPI
entryDN:
subschemaSubentry: cn=Subschema
# search result
search: 5
result: 0 Success
# numResponses: 2
# numEntries: 1
Markus
"Dieter Kluenter" <dieter@xxxxxxxxxxxx> wrote in message
news:87prk5i6fh.fsf@xxxxxxxxxxxxxxx
"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> writes:
I'd like to use for ldap bind GSSAPI as the first sasl authentication
mechanism and digest-md5 as the second prefered method (e.g. if the
client does not support GSSAPI)
I have configured slapd with /etc/sash/slapd.conf that has gssapi
before digest-md5 (I assume the order is important, is it?) .
No, it is not important, as sasl selects the most appropriate
mechanism.
mech_list: gssapi digest-md5 cram-md5 external
But despite the above order I get gssapi as the last in the list of
supportedsaslmechanisms
#ldapsearch -H ldap://192.168.1.27 -x -D "CN=Admin,DC=Suse,DC=home" -w
password -b "" -s base "supportedsaslmechanisms"
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedsaslmechanisms
#
#
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: GSSAPI
The ldap protocol is a message based protocol and there are no ordering
rules defined to present results. Ordering of search results is left
to the clients.
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
and a query will force digest-md5 authentication (despite the GSSAPI
capability of the client).
#ldapsearch -H ldap://192.168.1.27 -s base -b "" "supportedsaslmechanisms"
SASL/DIGEST-MD5 authentication started
Please enter your password:
If I change /etc/sasl2/slapd.conf to
mech_list: gssapi
I get gssapi to work
#ldapsearch -H ldap://192.168.1.27 -b "" -s base "supportedsaslmechanisms"
SASL/GSSAPI authentication started
SASL username: markus@xxxxxxxxx
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedsaslmechanisms
#
#
dn:
supportedSASLMechanisms: GSSAPI
# search result
search: 5
result: 0 Success
# numResponses: 2
# numEntries: 1
What do I need to do to force the order on the server ?
This is not necessary, The strong bind authentication is not done by
slapd but passed to the sasl framework, sasl selects the most secure
mechanism available, that is in your case GSSAPI. Just test it by
calling ldapsearch without any bind options, something like:
ldapsearch -h localhost -b "" -s base +
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
sip: +49.180.1555.7770535
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E
