Am 22.01.2011 17:04, schrieb Brian Candler:
On Fri, Jan 21, 2011 at 04:52:09PM +0100, Thomas Schweikle wrote:
I found the same (that DIGEST-MD5 was being preferred over GSSAPI). You can fix it by disabling DIGEST-MD5.
Under Ubuntu, I did this by
# vi /etc/ldap/sasl2/slapd.conf mech_list: gssapi externalThe location of this config file may differ under other distros.
I do have the directory, but not the file ... do I have to create it myself or is it part of a package I did not install?
You have to create it.
OK. Created the file. It holds: mech_list: gssapi external keytab: /etc/ldap/krb5.ldap sasldb_path: /etc/ldap/sasl2/passwd.db
Had a look at the rights for /etc/ldap/krb5.ldap: -rw------- 1 openldap openldap 278 2011-01-21 10:54 /etc/ldap/krb5.ldap
slapd is running as: openldap 4744 0.0 0.9 115800 5008 ? Ssl 00:02 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// ldaps:/// -g openldap -u openldap
Seems OK. Next I tried: $ ldapsearch -Y GSSAPI -LLL -H ldap://srv.example.com -s "base" -b "" supportedSASLMechanisms SASL/GSSAPI authentication started SASL username: tschweikle@XOMPU.DE SASL SSF: 56 SASL data security layer installed. dn: supportedSASLMechanisms: GSSAPI
Works!
Next try: $ldapsearch -Y GSSAPI -H ldap://srv.example.com -LLL -b "dc=example,dc=com" "(objectclass=*)"
... returns the whole database! Fine! Looks like I've solved the issues with your help! Thanks a lot!