Thanks Dan, 2015-10-22 20:54 GMT+02:00 Dan White <[email protected]>:
> On 10/22/15 17:59 +0200, Olivier wrote: > >> Hello everyone, >> >> authentication over ldap doesn't work on one of my linux box. Trying to >> query the ldap server from this machine with ldapsearch, I get this : >> >> $ ldapsearch -ZZZ -h ldap1.example:389 -D uid=olivier,dc=example,dc=fr -b >> dc=example,dc=fr -W >> Enter LDAP Password: >> SASL/GSSAPI authentication started >> ldap_sasl_interactive_bind_s: Local error (-2) >> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified >> GSS failure. Minor code may provide more information (No credentials >> cache >> found) > > Without including a '-x' option on the command line, you are directing > ldapsearch to perform a SASL authenticated bind. See the ldapsearch > manpage. I use SASL in certain circumstances (aka: EXTERNAL), but not GSSAPI and find strange that this particular machine (I mean the client) even tries it. Do you know why ldapsearch tries to authenticate using GSSAPI ? >> > > In this case, ldapsearch deferred the underlying authentication exchange > to libsasl2, which has determined that GSSAPI is the most appropriate SASL > mechanism to use, likely because the ldap server is offering it. You can > use '-Y' to specify a preferred sasl mechanism, if that is your intention. Is there any way to configure the server not to serve GSSAPI mechanism ? I have not fount any parameter that could deal with that on the server side. > I don'use such a mechanism (nor kerberos) and I don't remember that I >> configured any such a thing. >> >> Any idea to desactivate the attempt to use GSSAPI to authenticate ? >> > > You can remove the GSSAPI libsasl2 shared library from your system, but > that would simply mask the problem. Mmm... Thanks for this idea, but again, this is GSSAPI that I don't want to use, not SASL. Is there any documentation that describes the dialog between the client and the server before they agree an a particular mechanism ? -- Olivier > > -- > Dan White >
