I use Kerberos/GSSAPI for authentication, and I recently locked down my ldap servers with "require authc". With Kerberos tickets, I used to be able to just enter
ldapsearch
What response do you get?
ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) additional info: authentication required
on the command line. Now I have to do
ldapsearch -Y GSSAPI
I assume this is because ldapsearch has to do a nonauthenticated bind to find out about the SASL auth mechanisms (by looking for supportedSASLMechanisms), and that fails now. So it would be great if I
You can verify with:
ldapsearch -LLL -x -H ldap://ldap.example.org -s "base" -b "" supportedSASLMechanisms
with require authc:
afs2:~# ldapsearch -LLL -x -H ldap://<my_hostname> -s "base" -b "" supportedSASLMechanisms Server is unwilling to perform (53) Additional information: authentication required
and, after removing require authc:
afs2:~# ldapsearch -LLL -x -H ldap://<my_hostname> -s "base" -b "" supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI
- Configure GSSAPI as the only available SASL mechanism, within your
sasl slapd.conf, on the server.
Already done. That did not matter...
- Remove all other sasl mechanisms/shared libraries on the client
machine.
Hm. See also my separate response to Michael... Thanks,
Christian