At 04:06 AM 3/8/2006, Mivz wrote: >Hello, >I have configured my ldap server to use GSSAPI. >If I do not use the security ssf statement in my slapd.conf, it auto selects >GSSAPI authentication: > >ldapsearch >SASL/GSSAPI authentication started >SASL username: [EMAIL PROTECTED] >SASL SSF: 56 >SASL installing layers ># extended LDIF ># ># LDAPv3 ># base <> with scope sub ># filter: (objectclass=*) ># requesting: gssapi ># > >But when I enable the security ssf statement: >security ssf=56 update_ssf=112 simple_bind=56 > >It reply's: >ldapsearch >ldap_sasl_interactive_bind_s: Confidentiality required (13) > additional info: confidentiality required > >And I have to specify -Y gssapi whit my ldapsearch and then it works as before. >The exual result is the same. >Wy is it that it won't auto select GSSAPI when confidentiality is required? It >does not even try. >And, of course, how can this be solved?
ssf=56 disallows the unprotected search used in auto selection of the SASL mechanism. You might look at replacing ssf=56 with ACLs that restrict unprotected search to just the attributes of the root DSE required for auto-selection or just not relying on auto-selection. There are various other restrictions you might experiment with, in particular those of the 'require' slapd.conf(5) directive. Kurt
