Date: Fri, 25 Jan 2008 12:57:55 -0700
From: Rich Megginson<rmeggins@xxxxxxxxxx>
Listbox wrote:
Hi folks,
I have sasl-gssapi installed. But to use any ldap clients like ldapsearch or
ldapmodify, I must specify "-Y GSSAPI" , else I get a "no mechanism
available" error. Is this an "Identity Mapping" problem, an ldap.conf
problem, or is it "as designed"?
OpenLDAP ldapsearch, ldapmodify, etc. (/usr/bin/ldapsearch etc.) attempt
to use SASL by default. If you use the -x argument, it will use simple
userDN/password bind.
It sounds like, since he went to the effort of installing sasl-gssapi, that he
actually wants to use SASL Binds though.
When no mechanism is specified, the client library tries to read the
supportedSASLMechanisms attribute from the server's rootDSE. If the rootDSE is
unreadable (due to ACLs most likely) then you'll get this type of failure.
My ldap.conf man page says that "SASL_MECH" is a per-user setting in
.ldaprc, so I worry that my services without a login will not use LDAP
correctly.
I read
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Introduction_to_SASL-SA
SL_Identity_Mapping.html
and the next section on "Realms" but the docs don't say if one should
actually put "cn=gssapi,cn=auth" into the SASL map.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
