Dear list,
I use Kerberos/GSSAPI for authentication, and I recently locked down my ldap servers with "require authc". With Kerberos tickets, I used to be able to just enter
ldapsearch
on the command line. Now I have to do
ldapsearch -Y GSSAPI
I assume this is because ldapsearch has to do a nonauthenticated bind to find out about the SASL auth mechanisms (by looking for supportedSASLMechanisms), and that fails now. So it would be great if I had a way of setting the default SASL auth mechanism on a machine for all users. However,
man ldap.conf
tells me that the setting for SASL_MECH is a per user setting only. Is there any other way to achieve this, or am I doing the wrong thing by requiring authc? Thanks,
Christian
On 05/09/16 09:29 +0200, Christian wrote:
Dear list,
I use Kerberos/GSSAPI for authentication, and I recently locked down my ldap servers with "require authc". With Kerberos tickets, I used to be able to just enter
ldapsearch
What response do you get?
on the command line. Now I have to do
ldapsearch -Y GSSAPI
I assume this is because ldapsearch has to do a nonauthenticated bind to find out about the SASL auth mechanisms (by looking for supportedSASLMechanisms), and that fails now. So it would be great if I
You can verify with:
ldapsearch -LLL -x -H ldap://ldap.example.org -s "base" -b "" supportedSASLMechanisms
had a way of setting the default SASL auth mechanism on a machine for all users. However,
man ldap.conf
tells me that the setting for SASL_MECH is a per user setting only. Is there any other way to achieve this, or am I doing the wrong thing by requiring authc? Thanks,
Two options come to mind:
1) Configure GSSAPI as the only available SASL mechanism, within your sasl slapd.conf, on the server.
2) Remove all other sasl mechanisms/shared libraries on the client machine.
I use Kerberos/GSSAPI for authentication, and I recently locked down my ldap servers with "require authc". With Kerberos tickets, I used to be able to just enter
ldapsearch
What response do you get?
ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) additional info: authentication required
on the command line. Now I have to do
ldapsearch -Y GSSAPI
I assume this is because ldapsearch has to do a nonauthenticated bind to find out about the SASL auth mechanisms (by looking for supportedSASLMechanisms), and that fails now. So it would be great if I
You can verify with:
ldapsearch -LLL -x -H ldap://ldap.example.org -s "base" -b "" supportedSASLMechanisms
with require authc:
afs2:~# ldapsearch -LLL -x -H ldap://<my_hostname> -s "base" -b "" supportedSASLMechanisms Server is unwilling to perform (53) Additional information: authentication required
and, after removing require authc:
afs2:~# ldapsearch -LLL -x -H ldap://<my_hostname> -s "base" -b "" supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI
- Configure GSSAPI as the only available SASL mechanism, within your
sasl slapd.conf, on the server.
Already done. That did not matter...
- Remove all other sasl mechanisms/shared libraries on the client
machine.
Hm. See also my separate response to Michael... Thanks,
Christian
Christian wrote:
I use Kerberos/GSSAPI for authentication, and I recently locked down my ldap servers with "require authc". With Kerberos tickets, I used to be able to just enter
ldapsearch
on the command line. Now I have to do
ldapsearch -Y GSSAPI
Why don't you simply put this line in your ldap.conf?
SASL_MECH GSSAPI
I assume this is because ldapsearch has to do a nonauthenticated bind to find out about the SASL auth mechanisms (by looking for supportedSASLMechanisms),
Nope. The command-line tools do not behave like this.
man ldap.conf
tells me that the setting for SASL_MECH is a per user setting only. Is there any other way to achieve this, or am I doing the wrong thing by requiring authc?
I'm pretty sure there's a system-wide ldap.conf file installed on your system.
Ciao, Michael.
On 09.05.2016 22:34, Michael Ströder wrote:
Christian wrote:
I use Kerberos/GSSAPI for authentication, and I recently locked down my ldap servers with "require authc". With Kerberos tickets, I used to be able to just enter
ldapsearch
on the command line. Now I have to do
ldapsearch -Y GSSAPI
Why don't you simply put this line in your ldap.conf?
SASL_MECH GSSAPI
Hm. Because the man page says
SASL_MECH <mechanism> Specifies the SASL mechanism to use. This is a user-only option.
Nevertheless, it does seem to work without -Y GSSAPI if I change it in the global (/etc/ldap/ldap.conf) file. So maybe the documentation is wrong?
I assume this is because ldapsearch has to do a nonauthenticated bind to find out about the SASL auth mechanisms (by looking for supportedSASLMechanisms),
Nope. The command-line tools do not behave like this.
Well. If I remove "require authc" from the server config, then it works even without -Y GSSAPI and without the setting in the config file (see above). So there must be something that gets blocked when I require authc. In fact, with require authc:
afs2:~# ldapsearch -LLL -x -H ldap://<my_hostname> -s "base" -b "" supportedSASLMechanisms Server is unwilling to perform (53) Additional information: authentication required
and, after removing require authc:
afs2:~# ldapsearch -LLL -x -H ldap://<my_hostname> -s "base" -b "" supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI
man ldap.conf
tells me that the setting for SASL_MECH is a per user setting only. Is there any other way to achieve this, or am I doing the wrong thing by requiring authc?
I'm pretty sure there's a system-wide ldap.conf file installed on your system.
Of course. But the man page seems to be incorrect about SASL_MECH being a per-user setting... Or maybe I am not understanding what a per user setting is...
Thanks for looking into this,
Christian
Christian wrote:
On 09.05.2016 22:34, Michael Ströder wrote:
Christian wrote:
I use Kerberos/GSSAPI for authentication, and I recently locked down my ldap servers with "require authc". With Kerberos tickets, I used to be able to just enter
ldapsearch
on the command line. Now I have to do
ldapsearch -Y GSSAPI
Why don't you simply put this line in your ldap.conf?
SASL_MECH GSSAPI
Hm. Because the man page says
SASL_MECH <mechanism> Specifies the SASL mechanism to use. This is a user-only option.
Nevertheless, it does seem to work without -Y GSSAPI if I change it in the global (/etc/ldap/ldap.conf) file. So maybe the documentation is wrong?
I don't know what the author meant by "user-only". One could interpret "user" in a broader sense here.
Read the man-page where client configuration files are searched. It ends at the system-wide ldap.conf. So if the majority of users would have to use -Y GSSAPI it does make sense to add that line.
I assume this is because ldapsearch has to do a nonauthenticated bind to find out about the SASL auth mechanisms (by looking for supportedSASLMechanisms),
Nope. The command-line tools do not behave like this.
Well. If I remove "require authc" from the server config, then it works even without -Y GSSAPI and without the setting in the config file (see above). So there must be something that gets blocked when I require authc. In fact, with require authc:
afs2:~# ldapsearch -LLL -x -H ldap://<my_hostname> -s "base" -b "" supportedSASLMechanisms Server is unwilling to perform (53) Additional information: authentication required
and, after removing require authc:
afs2:~# ldapsearch -LLL -x -H ldap://<my_hostname> -s "base" -b "" supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI
Re-read the man page about the "require" directive. slapd does exactly what you told it with "require authc".
Ciao, Michael.
openldap-technical@openldap.org
-
Christian -
Dan White -
Michael Ströder