On 10/22/15 17:59 +0200, Olivier wrote:
Hello everyone,
authentication over ldap doesn't work on one of my linux box. Trying to query the ldap server from this machine with ldapsearch, I get this :
$ ldapsearch -ZZZ -h ldap1.example:389 -D uid=olivier,dc=example,dc=fr -b dc=example,dc=fr -W Enter LDAP Password: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)
Without including a '-x' option on the command line, you are directing ldapsearch to perform a SASL authenticated bind. See the ldapsearch manpage.
Do you know why ldapsearch tries to authenticate using GSSAPI ?
In this case, ldapsearch deferred the underlying authentication exchange to libsasl2, which has determined that GSSAPI is the most appropriate SASL mechanism to use, likely because the ldap server is offering it. You can use '-Y' to specify a preferred sasl mechanism, if that is your intention.
I don'use such a mechanism (nor kerberos) and I don't remember that I configured any such a thing.
Any idea to desactivate the attempt to use GSSAPI to authenticate ?
You can remove the GSSAPI libsasl2 shared library from your system, but that would simply mask the problem.