On 10/23/15 23:31 +0200, Olivier wrote:
2015-10-22 20:54 GMT+02:00 Dan White dwhite@cafedemocracy.org:
Without including a '-x' option on the command line, you are directing ldapsearch to perform a SASL authenticated bind. See the ldapsearch manpage.
I use SASL in certain circumstances (aka: EXTERNAL), but not GSSAPI and find strange that this particular machine (I mean the client) even tries it.
Do you know why ldapsearch tries to authenticate using GSSAPI ?
Because your local cyrus sasl library determined it was the best option, because it was not provided with a specific mechanism to use (-Y).
In this case, ldapsearch deferred the underlying authentication exchange to libsasl2, which has determined that GSSAPI is the most appropriate SASL mechanism to use, likely because the ldap server is offering it. You can use '-Y' to specify a preferred sasl mechanism, if that is your intention.
Is there any way to configure the server not to serve GSSAPI mechanism ? I have not fount any parameter that could deal with that on the server side.
Yes. Configure a sasl slapd.conf file, and specify an explicit 'mech_list' which excludes GSSAPI. See:
http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/options.php
You can remove the GSSAPI libsasl2 shared library from your system, but that would simply mask the problem.
Mmm... Thanks for this idea, but again, this is GSSAPI that I don't want to use, not SASL.
Is there any documentation that describes the dialog between the client and the server before they agree an a particular mechanism ?
SASL authentication is based on a server-offers - client-chooses model. The server offers all available mechanisms to the client, which then chooses the most appropriate mechanism to use based on which mechanisms it has available. You can explicitly set the mechanism with the '-Y' option, or via a SASL_MECH user-only option (see ldap.conf(5)).
See section 5.2 of RFC 4513 for further detail.