I was about to configure kerberos connections to my test OpenLDAP system (2.4.7, debian sid packages) when I discovered an oddity....
# ldapsearch -x -b "" -s base -LLL supportedSASLMechanisms dn: supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN supportedSASLMechanisms: NTLM
I don't see GSSAPI in the list. My searching of the doc and google has met with no real results. What must I do to get GSSAPI added as a supported mechanism?
Pat
Pat Riehecky wrote:
I was about to configure kerberos connections to my test OpenLDAP system (2.4.7, debian sid packages) when I discovered an oddity....
# ldapsearch -x -b "" -s base -LLL supportedSASLMechanisms dn: supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN supportedSASLMechanisms: NTLM
I don't see GSSAPI in the list.
Probably your SASL installation does not have the GSSAPI plugin installed (check for /usr/lib/sasl2/*gssapi*) or the required Kerberos libs are also missing.
Ciao, Michael.
Pat Riehecky skrev, on 13-02-2008 19:43:
I was about to configure kerberos connections to my test OpenLDAP system (2.4.7, debian sid packages) when I discovered an oddity....
# ldapsearch -x -b "" -s base -LLL supportedSASLMechanisms dn: supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN supportedSASLMechanisms: NTLM
I don't see GSSAPI in the list. My searching of the doc and google has met with no real results. What must I do to get GSSAPI added as a supported mechanism?
1: See that you have libgssapiv2 dynamic libraries in /usr/lib/sasl2 or wherever Debian puts them; 2: reflect this in /the/same/path/slapd.conf. I have only digest- and cram-md5 and mine looks like:
auxprop_plugin: slapd pwcheck_method: auxprop mech_list: digest-md5 cram-md5
Not quite sure what this would be for gssapi, though ...
Best,
--Tonni
Tony Earnshaw tonni@hetnet.nl writes:
2: reflect this in /the/same/path/slapd.conf.
Debian supports this path for compatibility with the rest of the world, of course, but /etc/ldap/sasl2/slapd.conf may also be used for those who would prefer to keep configuration files in /etc rather than putting them in /usr/lib/sasl2.
I see that the general trend in Linux distributions is to standardize on /etc/sasl2 as the configuration path, so we may migrate files from there to /etc/sasl2 and drop the more peculiar /etc/ldap path in a later release. (Opinions on that topic welcome. The approach currently taken predates my involvement with the Debian OpenLDAP packages and looks like it was intended to match how Postfix handled the same problem.)
I see that neither of the issues mentioned in this thread are documented in README.Debian, which is oversight on our part; I'll get that fixed.
* Russ Allbery rra@stanford.edu:
Tony Earnshaw tonni@hetnet.nl writes:
2: reflect this in /the/same/path/slapd.conf.
Debian supports this path for compatibility with the rest of the world, of course, but /etc/ldap/sasl2/slapd.conf may also be used for those who would prefer to keep configuration files in /etc rather than putting them in /usr/lib/sasl2.
I see that the general trend in Linux distributions is to standardize on /etc/sasl2 as the configuration path, so we may migrate files from there to /etc/sasl2 and drop the more peculiar /etc/ldap path in a later release. (Opinions on that topic welcome. The approach currently taken predates my involvement with the Debian OpenLDAP packages and looks like it was intended to match how Postfix handled the same problem.)
Future versions of Debian will have /etc/sasl2 as default path and will provide /etc/sasl and /usr/lib/sasl2 as fallback. Package maintainers who wish to keep SASL config files close to their application may do that.
p@rick
I see that neither of the issues mentioned in this thread are documented in README.Debian, which is oversight on our part; I'll get that fixed.
-- Russ Allbery (rra@stanford.edu) http://www.eyrie.org/~eagle/
Pat Riehecky prieheck@iwu.edu writes:
I don't see GSSAPI in the list. My searching of the doc and google has met with no real results. What must I do to get GSSAPI added as a supported mechanism?
aptitude install libsasl2-modules-gssapi-mit
or
aptitude install libsasl2-modules-gssapi-heimdal
openldap-software@openldap.org
-
Michael Ströder -
Pat Riehecky -
Patrick Ben Koetter -
Russ Allbery -
Tony Earnshaw