Christian wrote:
I use Kerberos/GSSAPI for authentication, and I recently locked down my ldap servers with "require authc". With Kerberos tickets, I used to be able to just enter
ldapsearch
on the command line. Now I have to do
ldapsearch -Y GSSAPI
Why don't you simply put this line in your ldap.conf?
SASL_MECH GSSAPI
I assume this is because ldapsearch has to do a nonauthenticated bind to find out about the SASL auth mechanisms (by looking for supportedSASLMechanisms),
Nope. The command-line tools do not behave like this.
man ldap.conf
tells me that the setting for SASL_MECH is a per user setting only. Is there any other way to achieve this, or am I doing the wrong thing by requiring authc?
I'm pretty sure there's a system-wide ldap.conf file installed on your system.
Ciao, Michael.